SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   X Vendors:   X.org
(Oracle Issues Fix for Solaris) X xrdb Input Validation Flaw in Processing Hostname Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1028730
SecurityTracker URL:  http://securitytracker.com/id/1028730
CVE Reference:   CVE-2011-0465   (Links to External Site)
Date:  Jul 3 2013
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): X11R7.6 (xrdb prior to 1.0.9)
Description:   A vulnerability was reported in X. A remote user can execute arbitrary commands on the target system.

A remote user can send specially crafted hostname values (containing shell escape characters) to the target system to execute arbitrary commands on the target system with root privileges when a display manager reads in the resource database via xrdb.

Systems that set their hostname via DHCP are affected (if the dhcp client permits hostnames with illegal characters).

Systems that allow remote logins via xdmcp are affected.

Sebastian Krahmer from the SUSE security team reported this vulnerability.

Impact:   A remote user can execute arbitrary commands with root privileges on the target system.
Solution:   Oracle has issued a fix for Solaris.

The Oracle advisory is available at:

https://blogs.oracle.com/sunsecurity/entry/cve_2011_0465_improper_input

Vendor URL:  x.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  9, 10

Message History:   This archive entry is a follow-up to the message listed below.
Apr 12 2011 X xrdb Input Validation Flaw in Processing Hostname Lets Remote Users Execute Arbitrary Commands



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC