Vulnerabilities > CVE-2000-0491 - Buffer Overflow vulnerability in GNOME gdm XDMCP

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
gnome
caldera
suse
critical
nessus
exploit available

Summary

Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and wdm allows remote attackers to execute arbitrary commands or cause a denial of service via a long FORWARD_QUERY request.

Vulnerable Configurations

Part Description Count
Application
Gnome
1
OS
Caldera
1
OS
Suse
2

Exploit-Db

  • descriptiongdm 1.0 .x/2.0 .x BETA/2.2 .0 XDMCP Buffer Overflow Vulnerability (1). CVE-2000-0491. Remote exploit for linux platform
    idEDB-ID:19947
    last seen2016-02-02
    modified2000-05-22
    published2000-05-22
    reporterChris Evans
    sourcehttps://www.exploit-db.com/download/19947/
    titlegdm 1.0.x/2.0.x BETA/2.2.0 - XDMCP Buffer Overflow Vulnerability 1
  • descriptiongdm 1.0 .x/2.0 .x BETA/2.2 .0 XDMCP Buffer Overflow Vulnerability (2). CVE-2000-0491. Remote exploit for linux platform
    idEDB-ID:19948
    last seen2016-02-02
    modified2000-05-22
    published2000-05-22
    reporterAbraxaS
    sourcehttps://www.exploit-db.com/download/19948/
    titlegdm 1.0.x/2.0.x BETA/2.2.0 - XDMCP Buffer Overflow Vulnerability 2

Nessus

NASL familyMandriva Local Security Checks
NASL idMANDRAKE_MDKSA-2001-070.NASL
descriptionA buffer overrun exists in the XDMCP handling code used in gdm. By sending a properly crafted XDMCP message, it is possible for a remote attacker to execute arbitrary commands as root on the susceptible machine. By default, XDMCP is disabled in gdm.conf on Mandrake Linux.
last seen2020-06-01
modified2020-06-02
plugin id13885
published2004-07-31
reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/13885
titleMandrake Linux Security Advisory : gdm (MDKSA-2001:070)
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2001:070. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(13885);
  script_version ("1.18");
  script_cvs_date("Date: 2019/08/02 13:32:46");

  script_cve_id("CVE-2000-0491");
  script_bugtraq_id(1233);
  script_xref(name:"MDKSA", value:"2001:070");

  script_name(english:"Mandrake Linux Security Advisory : gdm (MDKSA-2001:070)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Mandrake Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A buffer overrun exists in the XDMCP handling code used in gdm. By
sending a properly crafted XDMCP message, it is possible for a remote
attacker to execute arbitrary commands as root on the susceptible
machine. By default, XDMCP is disabled in gdm.conf on Mandrake Linux."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected gdm package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gdm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2001/08/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"gdm-2.2.3.2-2.1mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");