5592651 2000-10-14 01:19 /42 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13275>
Ärende: another Xlib buffer overflow
------------------------------------------------------------
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10010130218180.942-100000@localhost>
< I'm still looking for a good job: http://lcamtuf.hack.pl/job.html >
[ Aleph, I have strange deja-vu I have seen similar hole reported to ]
[ BUGTRAQ some time ago - but I've searched the archives and mailbox ]
[ for anything related, and could not find it... so if I am blind, ]
[ please bounce this message... :) ]
Vulnerable object: XFree 3.3.x Xlib (no data on 4.0.x); no mention of
fix in "security issues" page at www.xfree86.org.
The problem is simple - you can invoke any executable linked against
Xlib with -display command-line parameter or DISPLAY environment
variable in the way which causes trivial stack overflow. This could
happen, as before establishing unix socket connection, socket path
containing user-supplied data is sprintf()ed to small buffer.
You can overwrite both local variables and return address with limited set
of characters (well, limited to digits ;), but I strongly believe it could
be exploited with no difficulties by affecting only less significant bytes
- partial address overwriting, partial variable overwriting - known
techniques. Examining the stack and code shows us at least little
endian machines are very likely to be vulnerable to successful
exploitation.
So, the impact is:
DISPLAY=:`perl -e '{print "0"x128}'` any_privledged_X_application
(or: any_privledged_X_application -display :...)
Common X client applications are *term, games and several other
programs that are setuid and linked against Xlib, whenever willing to
access X server display.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(5592651) ------------------------------------------(Ombruten)
5601792 2000-10-16 20:12 /33 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13299>
Kommentar till text 5597949 av Brevbäraren (som är implementerad i) Python
Ärende: Re: another Xlib buffer overflow
------------------------------------------------------------
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@UUMAIL.GOV.BC.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200010161201.e9GC1jk00908@cwsys.cwsent.com>
In message <14823.32893.941728.85487@laas.fr>, Matthieu Herrb writes:
> You wrote (in your message from Friday 13)
> >
> > Vulnerable object: XFree 3.3.x Xlib (no data on 4.0.x); no mention of fix
> > in "security issues" page at www.xfree86.org.
> >
>
> It was fixed in XFree86 4.0. From the CHANGELOG:
>
> XFree86 3.9Nu (13 January 1999)
> [...]
> 2141. Fix some sun_path overflows in xtrans.
It doesn't appear to be fixed in 3.3.6:
cwsys$ DISPLAY=:`perl -e '{print "0"x128}'` xterm
Segmentation fault
cwsys$
Exploit anyone?
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC
(5601792) ------------------------------------------