Bugtraq mailing list archives

Re: Possible bufferoverflow condition in lpr, xterm and xload

From: casper () holland Sun COM (Casper Dik)
Date: Tue, 13 Aug 1996 12:13:40 +0200


Digital Dreamer <dreamer () garrison inetcan net>:

On Tue, 13 Aug 1996, bloodmask wrote:

xterm, xload, both segmented when supplied with -display commandline
argument / enviroment variable above it's buffer size. Probably
exploitable, although i haven't gotten around to veryfing this myself,
I'd like to here comments concerning this suspicioun of mine.


The fact that it's in the -display variable, which isn't handled by
the program but rather the X toolkit it was compiled with, implies
that this could be a problem with all X programs using this particular
toolkit.  I'm pretty sure Xterm is compiled with the Athena set, which
is (I beleive) the most common library, followed by Mosaic.



Looks like a problem in X11R6: XOpenDisplay() (OpenDis.c) calls
a function in lib/X11/ConnDis.c which does a sprintf(address,....).
address is a static buffer of size 128.

In X11R5 (and before??), there's also a sprintf but in a buffer
allocated with the proper size.



Casper

Current thread:

Re: mail storm, (continued)
- - - Re: mail storm Albert Lunde (Aug 12)
    - Re: mail storm Igor Chudov @ home (Aug 12)
    - Vulnrability in all known Linux distributions bloodmask (Aug 12)
    - Re: Vulnrability in all known Linux distributions Steve Czetty (Aug 13)
    - Re: Vulnrability in all known Linux distributions Alan Brown (Aug 13)
    - Re: Vulnrability in all known Linux distributions Elliot Lee (Aug 13)
    - Re: Vulnrability in all known Linux distributions Alan Cox (Aug 14)
    - mount/umount realpath() buffer overflow David J. Meltzer (Aug 13)
    - Possible bufferoverflow condition in lpr, xterm and xload bloodmask (Aug 12)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Digital Dreamer (Aug 12)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Casper Dik (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Mike Acar (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Elliot Lee (Aug 13)
    - why suid mount (was Re: Possible bufferoverflow condition in lpr, Bryan Reece (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Christopher Masto (Aug 14)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Brian Tao (Aug 15)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload *Unknown* (Aug 17)
    - Re: libresolv+ bug Theo Van Dinter (Aug 17)
    - Re: libresolv+ bug Brian Mitchell (Aug 18)
    - Re: libresolv+ bug Jon Lewis (Aug 18)
    - Re: libresolv+ bug Alan Cox (Aug 19)

(Thread continues...)