Bugtraq mailing list archives
Re: libX11 overflow continued....
From: hedley () CS BRIS AC UK (David Hedley)
Date: Fri, 30 May 1997 15:14:19 +0100
"LG" == Lamont Granquist <lamontg () hitl washington edu> writes:
[snip] LG> Of course this probably just moves the buffer overflow into xrdb LG> -merge, (correct, David?) Correct. It is still possible to upload exploit code to the X server via xrdb -merge as you suggest. When xterm grabs its resources off the X server it parses them in the same way and hence is still vulnerable. I can't see how any wrapper can prevent this. e.g. try the following: $ a='gerbil' $ for b in 1 2 3 4 5 6 7 8 9 10; do a=$a$a; done $ echo XTerm.$a: x > /tmp/test $ xrdb -merge /tmp/test $ xterm xterm should then segmentation fault/core dump. There are probably a few restrictions on what ASCII values can be in the exploit code, but initial impressions suggest it would still be very easy to write an exploit that didn't use them....YMMV. David -- David Hedley (hedley () cs bris ac uk) finger hedley () cs bris ac uk for PGP key Computer Graphics Group | University of Bristol | UK
Current thread:
- libX11 overflow continued.... David Hedley (May 29)
- Re: libX11 overflow continued.... Lamont Granquist (May 30)
- Re: libX11 overflow continued.... David Hedley (May 30)
- Re: libX11 overflow continued.... Roman Maeder (May 30)
- Re: libX11 overflow continued.... David Hedley (May 30)
- NIS+, Solaris 2.5.1 Anonymous (May 30)
- Re: NIS+, Solaris 2.5.1 Casper Dik (May 30)
- Re: libX11 overflow continued.... Lamont Granquist (May 30)