Re: libX11 overflow continued....

[hedley () CS BRIS AC UK (David Hedley)]

> > > > > "LG" == Lamont Granquist <lamontg () hitl washington edu> writes:
     [snip]
    LG> Of course this probably just moves the buffer overflow into xrdb
    LG> -merge, (correct, David?)

Correct. It is still possible to upload exploit code to the X server via
xrdb -merge as you suggest. When xterm grabs its resources off the X
server it parses them in the same way and hence is still vulnerable. I
can't see how any wrapper can prevent this.

e.g. try the following:

$ a='gerbil'
$ for b in 1 2 3 4 5 6 7 8 9 10; do a=$a$a; done
$ echo XTerm.$a: x > /tmp/test
$ xrdb -merge /tmp/test
$ xterm

xterm should then segmentation fault/core dump. There are probably a few
restrictions on what ASCII values can be in the exploit code, but
initial impressions suggest it would still be very easy to write an
exploit that didn't use them....YMMV.

David
--
 David Hedley (hedley () cs bris ac uk)
 finger hedley () cs bris ac uk for PGP key
 Computer Graphics Group | University of Bristol | UK