{"vuid":"VU#312313","idnumber":"312313","name":"Solaris X Window Font Service (XFS) daemon contains buffer overflow in Dispatch() function","keywords":["Solaris","X Window Font Service","XFS","buffer overflow","fs.auto","Dispatch() function"],"overview":"A remotely exploitable buffer overflow has been discovered in the Solaris X Window Font Service (XFS) daemon (fs.auto).","clean_desc":"ISS X-Force released an Advisory today regarding a remotely exploitable buffer overflow in XFS. According to ISS, XFS is installed and running by default on the following operating systems and architectures: Sun Microsystems Solaris 2.5.1 (Sparc/Intel)\nSun Microsystems Solaris 2.6 (Sparc/Intel)\nSun Microsystems Solaris 7 (Sparc/Intel)\nSun Microsystems Solaris 8 (Sparc/Intel)\nSun Microsystems Solaris 9 (Sparc)\nSun Microsystems Solaris 9 Update 2 (Intel)\nAccording to the ISS Advisory, the buffer overflow exists in the fs.auto Dispatch() function. Because this function accepts user supplied data, an attacker can send overly large XFS queries to the XFS service and either cause it to crash or execute arbitrary code with the same privileges as the XFS service (typically nobody).","impact":"A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.","resolution":"Apply a vendor patch when it becomes available.","workarounds":"Ingress Filtering - It may be possible to limit the scope of this vulnerability by applying ingress filtering (blocking access to TCP port 7100 at your network perimeter). Note: You should carefully consider the impact of blocking services that you may be using. Disable XFS Service - To disable the XFS Service, comment out the following line in /etc/inetd.conf (remember to restart inetd after making this change) fs              stream  tcp     wait nobody /usr/openwin/lib/fs.auto    fs","sysaffected":"","thanks":"ISS X-Force discovered this vulnerability.","author":"This document was written by Ian A Finlay.","public":["http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541","http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view"],"cveids":["CVE-2002-1317"],"certadvisory":"CA-2002-34","uscerttechnicalalert":null,"datecreated":"2002-11-25T17:27:19Z","publicdate":"2002-11-25T00:00:00Z","datefirstpublished":"2002-11-25T21:36:30Z","dateupdated":"2003-05-30T17:09:32Z","revision":13,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"28.125","cam_scorecurrentwidelyknown":"33.75","cam_scorecurrentwidelyknownexploited":"56.25","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":28.125,"vulnote":null}