Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: UNIX CDE/dtlogin Vulnerability

    In this example, your network includes several user workstations and servers running UNIX. Many UNIX operating systems use the Common Desktop Environment (CDE) as a graphical user interface. Your security administrator notifies you of a new vulnerability in the dtlogin process for CDE (the dtlogin process handles a GUI login process to CDE).

    The CERT advisory for the vulnerability ( contains the following information:

    ...The dtlogin program contains a "double-free" vulnerability that can be triggered 
    by a specially crafted X Display Manager Control Protocol (XDMCP) packet... Block XDMCP 
    traffic (177/udp) from untrusted networks such as the Internet... 

    From this information, you know that the attack uses XDMCP protocol packet, and runs on UDP/177. Now you must locate the attack code. The advisory also includes references that link to more information about the attack. One reference,, indicates that the person who first reported the attack has also written a script that replicates the attack. Obtain the script and move it to the attacker computer in your test lab.

    To develop this attack object:

    1. Reproduce the attack to determine the attack context, direction, and pattern. Ideally, use scio ccap and Wireshark concurrently so you have to run the attack only once. Figure 1 shows the packet capture in Wireshark.

      Figure 1: XDMP Packet Capture

      Image g036667.gif
    2. Discover the elements of the attack signature:

      • Service. You know from the CERT advisory that the attack uses the XDMCP protocol. Review the packet capture in Wireshark to confirm the protocol.
      • Context. Use scio ccap to determine whether you can match a particular service context. In this example, the XMCP service contexts are not supported by the IDP system, and the output of scio ccap is blank. You must specify the packet context for the attack.
      • Pattern. Using your knowledge of the XDMCP protocol, you identify that the attack uses a non-NUL character (hexadecimal code 00 1b) to specify the connection type, which is invalid (the NUL character represents the Internet connection type in XDMCP). To anchor the non-NUL character in a signature pattern, include some of the preceding bytes as part of the pattern. For this example, you choose to anchor the non-NUL character with the version number (hexadecimal code 00 01) and the request options code (hexadecimal code 00 07). The full attack pattern is 00 01 00 07 followed by five characters of any type, followed by a sixth character and either a non-NUL character (as shown above with 00 1b) or a non-NUL character and another character.
      • Direction. Locate the source IP that initiated the session. In this example, you cannot determine the attack direction.
    3. Create an attack object to match the attack signature. Use the following regular expression to match the signature:
      \x00 01 00 07\x.....(.[^\000]|[^\000]..*

      Figure 2 shows the Custom Attack – Attack Pattern page for this example.

      Figure 2: XDMP Attack Pattern

      Image g036666.gif

      In this expression:

      • The \x expression indicates a hexadecimal value.
      • The numbers 00 01 00 07 in the XDMP protocol represent the version number (hexadecimal code 00 01 and the request options code (hexadecimal code 00 07).
      • The five periods (.....) indicate five characters of any kind.
      • The parentheses ( ) indicates a group of items, and the pipe character (|) indicates OR. These characters are often used together to indicate that an attack must include one item from the group.
      • The opening and closing brackets combined with a caret [^ indicates negation.
      • The backslash combined with a zero (\0) indicates an octal code number.
      • The 00 characters are hexadecimal code for a NUL character. In this example, the attack must contain a non-NUL character, either preceded or followed by another character ([^\000] or [^\000]).
      • The dot star combination (.*) indicates a wildcard match. When used at the end of an expression, the wildcard indicates that anything can follow the specified expression.
    4. Test the attack object.

    Published: 2011-02-08