xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a (1) DHCP or (2) XDMCP message.

X11 6.6.2_x86: xrdb patch.
Date this patch was last updated by Sun : Jun/14/11

X11 6.6.2: xrdb patch.
Date this patch was last updated by Sun : Jun/14/11

The remote host is affected by the vulnerability described in GLSA-201412-09 (Multiple packages, Multiple vulnerabilities fixed in 2011)

    Vulnerabilities have been discovered in the packages listed below.
      Please review the CVE identifiers in the Reference section for details.
      FMOD Studio       PEAR Mail       LVM2       GnuCash       xine-lib       Last.fm Scrobbler       WebKitGTK+       shadow tool suite       PEAR       unixODBC       Resource Agents       mrouted       rsync       XML Security Library       xrdb       Vino       OProfile       syslog-ng       sFlow Toolkit       GNOME Display Manager       libsoup       CA Certificates       Gitolite       QtCreator       Racer   Impact :

    A context-dependent attacker may be able to gain escalated privileges,       execute arbitrary code, cause Denial of Service, obtain sensitive       information, or otherwise bypass security restrictions.
  Workaround :

    There are no known workarounds at this time.

Remote attackers could execute arbitrary commands as root by assigning specially crafted hostnames to X11 clients via XDMCP (CVE-2011-0465).

From Red Hat Security Advisory 2011:0433 :

An updated xorg-x11-server-utils package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The xorg-x11-server-utils package contains a collection of utilities used to modify and query the runtime configuration of the X.Org server. X.Org is an open source implementation of the X Window System.

A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name. (CVE-2011-0465)

Red Hat would like to thank Matthieu Herrb for reporting this issue.
Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter.

Users of xorg-x11-server-utils should upgrade to this updated package, which contains a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect.

From Red Hat Security Advisory 2011:0432 :

Updated xorg-x11 packages that fix one security issue are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.

A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name. (CVE-2011-0465)

Red Hat would like to thank Matthieu Herrb for reporting this issue.
Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter.

Users of xorg-x11 should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect.

A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name. (CVE-2011-0465)

All running X.Org server instances must be restarted for this update to take effect.

Remote attackers could execute arbitrary commands as root by assigning specially crafted hostnames to X11 clients via XDMCP. (CVE-2011-0465)

A vulnerability has been found and corrected in xrdb :

xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a (1) DHCP or (2) XDMCP message (CVE-2011-0465).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149 products_id=490

The updated packages have been patched to correct this issue.

Updated xorg-x11 packages that fix one security issue are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.

A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name. (CVE-2011-0465)

Red Hat would like to thank Matthieu Herrb for reporting this issue.
Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter.

Users of xorg-x11 should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect.

Matthias Hopf reports :

By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb.

These specially crafted hostnames can occur in two environments :

Systems are affected are: systems set their hostname via DHCP, and the used DHCP client allows setting of hostnames with illegal characters.
And systems that allow remote logins via xdmcp.

Fixes CVE-2011-0465 root hole via rogue hostname (xrdb)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated xorg-x11-server-utils package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The xorg-x11-server-utils package contains a collection of utilities used to modify and query the runtime configuration of the X.Org server. X.Org is an open source implementation of the X Window System.

A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name. (CVE-2011-0465)

Red Hat would like to thank Matthieu Herrb for reporting this issue.
Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter.

Users of xorg-x11-server-utils should upgrade to this updated package, which contains a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect.

The following bug has been fixed :

  - Remote attackers could execute arbitrary commands as     root by assigning specially crafted hostnames to X11     clients via XDMCP. (CVE-2011-0465)

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2011:0432 advisory.

  - xorg: xrdb code execution via crafted X client hostname (CVE-2011-0465)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

New xrdb packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.

Sebastian Krahmer discovered that the xrdb utility of x11-xserver-utils, a X server resource database utility, is not properly filtering crafted hostnames. This allows a remote attacker to execute arbitrary code with root privileges given that either remote logins via xdmcp are allowed or the attacker is able to place a rogue DHCP server into the victims network.

Sebastian Krahmer discovered that the xrdb utility incorrectly filtered crafted hostnames. An attacker could use this flaw with a malicious DHCP server or with a remote xdmcp login and execute arbitrary code, resulting in root privilege escalation.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
108097	Solaris 10 (x86) : 147228-01	Nessus	Solaris Local Security Checks	high
107605	Solaris 10 (sparc) : 147227-01	Nessus	Solaris Local Security Checks	high
79962	GLSA-201412-09 : Multiple packages, Multiple vulnerabilities fixed in 2011	Nessus	Gentoo Local Security Checks	critical
76050	openSUSE Security Update : xorg-x11 (openSUSE-SU-2011:0298-1)	Nessus	SuSE Local Security Checks	high
75778	openSUSE Security Update : xorg-x11 (openSUSE-SU-2011:0298-1)	Nessus	SuSE Local Security Checks	high
68254	Oracle Linux 5 / 6 : xorg-x11-server-utils (ELSA-2011-0433)	Nessus	Oracle Linux Local Security Checks	high
68253	Oracle Linux 4 : xorg-x11 (ELSA-2011-0432)	Nessus	Oracle Linux Local Security Checks	high
61016	Scientific Linux Security Update : xorg-x11-server-utils on SL5.x, SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
61015	Scientific Linux Security Update : xorg-x11 on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
57268	SuSE 10 Security Update : X11 (ZYPP Patch Number 7416)	Nessus	SuSE Local Security Checks	high
53810	openSUSE Security Update : xorg-x11 (openSUSE-SU-2011:0298-1)	Nessus	SuSE Local Security Checks	high
53524	Mandriva Linux Security Advisory : xrdb (MDVSA-2011:076)	Nessus	Mandriva Local Security Checks	high
53494	CentOS 4 : xorg-x11 (CESA-2011:0432)	Nessus	CentOS Local Security Checks	high
53439	FreeBSD : xrdb -- root hole via rogue hostname (2eccb24f-61c0-11e0-b199-0015f2db7bde)	Nessus	FreeBSD Local Security Checks	high
53438	Fedora 14 : xorg-x11-server-utils-7.5-5.fc14 (2011-4871)	Nessus	Fedora Local Security Checks	high
53433	CentOS 5 : xorg-x11-server-utils (CESA-2011:0433)	Nessus	CentOS Local Security Checks	high
53404	SuSE 10 Security Update : X11 (ZYPP Patch Number 7417)	Nessus	SuSE Local Security Checks	high
53401	SuSE9 Security Update : XFree86 (YOU Patch Number 12700)	Nessus	SuSE Local Security Checks	high
53371	RHEL 5 / 6 : xorg-x11-server-utils (RHSA-2011:0433)	Nessus	Red Hat Local Security Checks	high
53370	RHEL 4 : xorg-x11 (RHSA-2011:0432)	Nessus	Red Hat Local Security Checks	critical
53361	Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : xrdb (SSA:2011-096-01)	Nessus	Slackware Local Security Checks	high
53340	Debian DSA-2213-1 : x11-xserver-utils - missing input sanitization	Nessus	Debian Local Security Checks	high
53321	Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : x11-xserver-utils vulnerability (USN-1107-1)	Nessus	Ubuntu Local Security Checks	high
53316	SuSE 11.1 Security Update : X11 (SAT Patch Number 4199)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2011-0465

critical

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

critical

high

high

high

high