5013636 2000-04-17 04:59 /36 rader/ Postmaster
Mottagare: Bugtraq (import) <10489>
Ärende: XFree86 server overflow - exploit issues
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: lcamtuf@localhost
X-Nmymbofr: Nir Orb Buk
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10004161934510.780-100000@localhost>
Date: Sun, 16 Apr 2000 19:45:59 +0200
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@TPI.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10004161835150.863-100000@localhost>
While trying to exploit this overflow, I noticed that the problem
lies in _lovely_ strcpy() call, which overwrites
stack. Unfortunately, any 'offending' non-alphanumeric characters are
replaced with '_' somewhere before. Uh, most of people will say "it's
impossible to write alphanumeric shellcode, so it is not
exploitable". That's not true. Please take a note: we don't have to
put shellcode there. It might be present anywhere, eg. as any other
parameter, read from some user-specified file, or even it might be
not present at all (please refer articles on defeating non-executable
stack). All we need is to modify some ptr (and we don't have to
modify whole address, maybe only one byte) on stack, or alter some
variable - Xserver is pretty complex creature and we have wonderful
playfield here. I strongly believe it's exploitable for average code
hacker within hour or so. Please think twice before assuming it is
not - because for sure it is _worth_ an exploit :) We're currently
working on it, but it isn't probably the best idea to post it for
public (script kitties ;).
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(5013636) ------------------------------------------(Ombruten)
5013672 2000-04-17 05:58 /49 rader/ Postmaster
Mottagare: Bugtraq (import) <10494>
Ärende: XFree86 server overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: lcamtuf@localhost
X-Nmymbofr: Nir Orb Buk
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10004161835150.863-100000@localhost>
Date: Sun, 16 Apr 2000 18:54:41 +0200
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@TPI.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server
(no matter it's setuid, or called from setuid Xwrapper - works in
both cases, seems to me Xwrapper in default RH 6.x distro is rather
dumb ;) with
-xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's
rather trivial to exploit :), you'll get beautiful overflow with root
privledges in main (Xserver) process...
listen to the gdb... Cannot access memory at address 0x41414141.
This has been tested both with recent RH6.1/6.2 Xservers
(3.3.5/3.3.6), and:
XFCom_i810 Version 1.0.0 / X Window System
(protocol Version 11, revision 0, vendor release 6300)
Release Date: October 13 1999
Btw. while testing this bug, we have noticed strange behaviour of some
drivers. For example, in one case we get kernel oops, just like that
(linux 2.2.14, XFree86 3.3.6 XF86_S3V):
eip: 41414141 eflags: 00013296
eax: 00000000 ebx: 00000000 ecx: 00000bb8 edx: 00000009
esi: bfffe92c edi: 00000400 ebp: 00000000 esp: bfffe464
Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
:)
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(5013672) ------------------------------------------(Ombruten)
5017222 2000-04-17 23:14 /57 rader/ Postmaster
Mottagare: Bugtraq (import) <10502>
Ärende: Re: XFree86 server overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en, bg
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <38FADCD8.42F92A34@rila.bg>
Date: Mon, 17 Apr 2000 12:43:52 +0300
Reply-To: Valentin Pavlov <vpavlov@RILA.BG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Valentin Pavlov <vpavlov@RILA.BG>
Organization: Rila Solutions
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
XFree86 4.0.0 does not seem to be vulnerable to this...A look at the
sources also proves it.
Michal Zalewski wrote:
>
> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
> -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
> trivial to exploit :), you'll get beautiful overflow with root privledges
> in main (Xserver) process...
>
> listen to the gdb... Cannot access memory at address 0x41414141.
>
> This has been tested both with recent RH6.1/6.2 Xservers (3.3.5/3.3.6),
> and:
>
> XFCom_i810 Version 1.0.0 / X Window System
> (protocol Version 11, revision 0, vendor release 6300)
> Release Date: October 13 1999
>
> Btw. while testing this bug, we have noticed strange behaviour of some
> drivers. For example, in one case we get kernel oops, just like that
> (linux 2.2.14, XFree86 3.3.6 XF86_S3V):
>
> eip: 41414141 eflags: 00013296
> eax: 00000000 ebx: 00000000 ecx: 00000bb8 edx: 00000009
> esi: bfffe92c edi: 00000400 ebp: 00000000 esp: bfffe464
> Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
>
> :)
>
> _______________________________________________________
> Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
> [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=
(5017222) ------------------------------------------
5017286 2000-04-18 00:04 /46 rader/ Postmaster
Mottagare: Bugtraq (import) <10506>
Ärende: Re: XFree86 server overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: saq@jupiter.sakowski.eu.org
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0004171929410.7274-100000@jupiter.sakowski.eu.org>
Date: Mon, 17 Apr 2000 20:11:55 +0200
Reply-To: =?ISO-8859-2?Q?Pawe=B3_Sakowski?= <pawel@LO13.UNIV.SZCZECIN.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: =?ISO-8859-2?Q?Pawe=B3_Sakowski?= <pawel@LO13.UNIV.SZCZECIN.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10004161835150.863-100000@localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
> -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
> trivial to exploit :), you'll get beautiful overflow with root privledges
> in main (Xserver) process...
I dare disagree:
$ Xwrapper -xkbmap `perl -e 'print "A"x3000'`
Command line argument number 2 is too long
[...]
This is plain RedHat 6.2 and the command line gets refused whenever a
non-root tries to supply an arg longer than 128 chars.
- --
#include <stddisclaimer.h>
PGP Public Key: finger://sakowski.eu.org/pawel
hkp://horowitz.surfnet.nl/pawel@sakowski.eu.org
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBOPtUPr5fvVhp3VoPEQLuFQCfSPl7lGV756WcBmBz5zSiteU2apcAoKY7
oxtyN6bTfHUyTDk8O7zEHm74
=YsmG
-----END PGP SIGNATURE-----
(5017286) ------------------------------------------
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Olaf Kirch <okir@CALDERA.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10004161835150.863-100000@localhost>; fro
lcamtuf@TPI.PL on Sun, Apr 16, 2000 at 06:54:41PM +0200
On Sun, Apr 16, 2000 at 06:54:41PM +0200, Michal Zalewski wrote:
> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;)
I don't know what Redhat uses for their Xwrapper, but here's the
code from vanilla XFree3.3.6 (xc/programs/Xserver/os/wrapper.c),
slightly paraphrased:
#define MAX_ARG_LENGTH 128
if (!bad && geteuid() == 0 && getuid() != geteuid()) {
for (i = 1; i < argc; i++) {
...
if (strlen(argv[i]) > MAX_ARG_LENGTH) {
bad = ArgTooLong;
break;
}
...
}
}
It appears that this vulnerability requires you to have uid 0
in order to exploit it...
Olaf
PS: The current XFree4.0 snapshot comes without Xwrapper, supposedly
because it Does Things Right[TM].
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
(5017299) ------------------------------------------