Bug#814989: gdm3 remote crashable if xdmcp enabled (denial of service)
Erik Thiele
erik.thiele at thiele-hydraulik.de
Wed Feb 17 11:47:53 UTC 2016
Package: gdm3
Version: 3.4.1-8
Architecture i386.
have this in daemon.conf:
[xdmcp]
Enable=True
now on a machine somewhere remote in the network do:
Xephyr :10 -query HOST_WITH_GDM3_RUNNING -terminate -nolisten tcp
now on HOST_WITH_GDM3_RUNNING you see this in syslog:
(of course there are errors that he cannot connect because of -nolisten tcp. but he should not crash:)
Feb 17 11:55:05 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:05 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:06 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:06 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:07 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:07 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:07 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:07 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:08 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:08 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:08 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:08 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:09 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:09 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:09 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:09 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:09 goofy gdm-simple-slave[5491]: WARNING: Unable to connect to display after 10 tries - bailing out
Feb 17 11:55:10 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:10 goofy gdm3[3503]: WARNING: GdmXdmcpDisplayFactory: Failed to look up session ID 11760611
Feb 17 11:55:10 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:11 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:11 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:11 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:11 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:11 goofy gdm-simple-slave[5492]: WARNING: Unable to connect to display after 10 tries - bailing out
Feb 17 11:55:12 goofy gdm[5494]: ******************* START **********************************
Feb 17 11:55:12 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:12 goofy gdm[5494]: [Thread debugging using libthread_db enabled]
Feb 17 11:55:12 goofy gdm[5494]: Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
Feb 17 11:55:12 goofy gdm[5494]: [New Thread 0xb6da7b70 (LWP 3640)]
Feb 17 11:55:12 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:13 goofy gdm[5494]: 0xb773a428 in __kernel_vsyscall ()
Feb 17 11:55:13 goofy gdm[5494]: #0 0xb773a428 in __kernel_vsyscall ()
Feb 17 11:55:13 goofy gdm[5494]: #1 0xb722e21b in waitpid () at ../sysdeps/unix/syscall-template.S:82
Feb 17 11:55:13 goofy gdm[5494]: #2 0x08061402 in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: #3 0x08061809 in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: #4 <signal handler called>
Feb 17 11:55:13 goofy gdm[5494]: #5 0x08055d1a in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: #6 0xb72cc1f2 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: #7 0xb72ce6d3 in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: #8 0xb72cea70 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: #9 0xb72ceecb in g_main_loop_run () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: #10 0x0804d45f in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: #11 0xb70cee46 in __libc_start_main (main=0x804cdd0, argc=1, ubp_av=0xbfadfaf4, init=0x8062ad0, fini=0x8062ac0, rtld_fini=0xb7749560, stack_end=0xbfadfaec) at libc-start.c:244
Feb 17 11:55:13 goofy gdm[5494]: #12 0x0804d7c1 in ?? ()
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: Thread 2 (Thread 0xb6da7b70 (LWP 3640)):
Feb 17 11:55:13 goofy gdm[5494]: #0 0xb773a428 in __kernel_vsyscall ()
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #1 0xb71841c6 in *__GI___poll (fds=0xb721bff4, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87
Feb 17 11:55:13 goofy gdm[5494]: resultvar = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: result = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]: #2 0xb72dd13b in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #3 0xb72ce9f0 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #4 0xb72ceb51 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #5 0xb72cebbe in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #6 0xb72f2eb3 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #7 0xb7225c39 in start_thread (arg=0xb6da7b70) at pthread_create.c:304
Feb 17 11:55:13 goofy gdm[5494]: __res = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]: __ignore1 = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]: __ignore2 = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]: pd = 0xb6da7b70
Feb 17 11:55:13 goofy gdm[5494]: now = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: not_first_call = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]: freesize = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: #8 0xb7191bae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
Feb 17 11:55:13 goofy gdm[5494]: No locals.
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: Thread 1 (Thread 0xb6fa2720 (LWP 3503)):
Feb 17 11:55:13 goofy gdm[5494]: #0 0xb773a428 in __kernel_vsyscall ()
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #1 0xb722e21b in waitpid () at ../sysdeps/unix/syscall-template.S:82
Feb 17 11:55:13 goofy gdm[5494]: No locals.
Feb 17 11:55:13 goofy gdm[5494]: #2 0x08061402 in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #3 0x08061809 in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #4 <signal handler called>
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #5 0x08055d1a in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #6 0xb72cc1f2 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #7 0xb72ce6d3 in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #8 0xb72cea70 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #9 0xb72ceecb in g_main_loop_run () from /lib/i386-linux-gnu/libglib-2.0.so.0
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #10 0x0804d45f in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: #11 0xb70cee46 in __libc_start_main (main=0x804cdd0, argc=1, ubp_av=0xbfadfaf4, init=0x8062ad0, fini=0x8062ac0, rtld_fini=0xb7749560, stack_end=0xbfadfaec) at libc-start.c:244
Feb 17 11:55:13 goofy gdm[5494]: result = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: not_first_call = <optimized out>
Feb 17 11:55:13 goofy gdm[5494]: #12 0x0804d7c1 in ?? ()
Feb 17 11:55:13 goofy gdm[5494]: No symbol table info available.
Feb 17 11:55:13 goofy gdm[5494]: A debugging session is active.
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: #011Inferior 1 [process 3503] will be detached.
Feb 17 11:55:13 goofy gdm[5494]:
Feb 17 11:55:13 goofy gdm[5494]: Quit anyway? (y or n) [answered Y; input not from terminal]
Feb 17 11:55:13 goofy gdm[5494]: ******************* END **********************************
Feb 17 11:55:13 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:13 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:14 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:14 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:15 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:15 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display 127.0.0.1:10
Feb 17 11:55:15 goofy gdm-simple-slave[5493]: WARNING: Unable to connect to display after 10 tries - bailing out
now gdm3 is crashed and no more login is possible -> denial of service.
--
Erik
More information about the pkg-gnome-maintainers
mailing list