Signature Detail

XDMCP: dtlogin Double Free Exploit

This signature detects XDMCP request packets with an invalid type set, which can indicate an unknown protocol extension or an exploit attempt. Attackers can send an XDMCP request packet that contains an invalid type to crash dtlogin and generate double-free vulnerability.

Extended Description

It has been reported that a double free vulnerability exists in the dtlogin process of CDE. This issue presents itself due to the free() function being called on the same allocated chunk of memory more than once. This problem occurs prior to any authorization. Successful exploitation of this issue could lead to the corruption of an arbitrary location in memory, ultimately allowing for the attacker to control the execution flow of the affected process.

Affected Products

• Avaya cms_server 11.0.0
• Avaya cms_server 8.0.0
• Avaya cms_server 9.0.0
• Avaya interactive_response
• Hp hp-ux 11.0.0
• Hp hp-ux 11.0.0 4
• Hp hp-ux 11.11.0
• Hp hp-ux 11.22.0
• Hp hp-ux 11.23.0
• Ibm aix 4.3.3
• Ibm aix 5.1
• Ibm aix 5.2
• Open_group cde_common_desktop_environment 1.0.1
• Open_group cde_common_desktop_environment 1.0.2
• Open_group cde_common_desktop_environment 1.1.0
• Open_group cde_common_desktop_environment 1.2.0
• Open_group cde_common_desktop_environment 2.0.0
• Open_group cde_common_desktop_environment 2.1.0
• Open_group cde_common_desktop_environment 2.1.0 20
• Sco unixware 7.1.1
• Sco unixware 7.1.3
• Sco unixware 7.1.4
• Sun solaris 7.0
• Sun solaris 7.0_x86
• Sun solaris 8 Sparc
• Sun solaris 8 X86
• Sun solaris 9 Sparc
• Sun solaris 9 X86
• Xi_graphics dextop 2.1.0
• Xi_graphics dextop 3.0.0

References

• BugTraq: 9958
• CVE: CVE-2004-0368
• URL: http://www.kb.cert.org/vuls/id/179804