Signature Detail

XDMCP: dtlogin Double Free Exploit

This signature detects XDMCP request packets with an invalid type set, which can indicate an unknown protocol extension or an exploit attempt. Attackers can send an XDMCP request packet that contains an invalid type to crash dtlogin and generate double-free vulnerability.

Extended Description

It has been reported that a double free vulnerability exists in the dtlogin process of CDE. This issue presents itself due to the free() function being called on the same allocated chunk of memory more than once. This problem occurs prior to any authorization. Successful exploitation of this issue could lead to the corruption of an arbitrary location in memory, ultimately allowing for the attacker to control the execution flow of the affected process.

Affected Products

• Avaya CMS Server 11.0.0
• Avaya CMS Server 8.0.0
• Avaya CMS Server 9.0.0
• Avaya Interactive Response
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• HP HP-UX 11.11.0
• HP HP-UX 11.22.0
• HP HP-UX 11.23.0
• IBM AIX 4.3.3
• IBM AIX 5.1
• IBM AIX 5.2
• Open Group CDE Common Desktop Environment 1.0.1
• Open Group CDE Common Desktop Environment 1.0.2
• Open Group CDE Common Desktop Environment 1.1.0
• Open Group CDE Common Desktop Environment 1.2.0
• Open Group CDE Common Desktop Environment 2.0.0
• Open Group CDE Common Desktop Environment 2.1.0
• Open Group CDE Common Desktop Environment 2.1.0 20
• SCO Unixware 7.1.1
• SCO Unixware 7.1.3
• SCO Unixware 7.1.4
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86
• Sun Solaris 9 Sparc
• Sun Solaris 9 X86
• Xi Graphics DeXtop 2.1.0
• Xi Graphics DeXtop 3.0.0

References

• BugTraq: 9958
• CVE: CVE-2004-0368
• URL: http://www.kb.cert.org/vuls/id/179804