Bugtraq mailing list archives
Xserver stack smashed
From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Tue, 13 Jan 1998 20:22:02 +0100
Summary: On a system where X11R6-based Xserver (R5 is probably affected too) is installed setuid or setgid (e.g. typical XFree86 installation has XF86_* setuid root), local users can exploit a buffer overrun in its code and gain extra privileges (e.g. root privileges when Xserver is setuid root). Quick vulnerability check: X:00000000000000000000000000000000000000000000000000000000000000000\ 00000000000000000000000000000000000000000000000000000000000000000000\ 00000000000000000000000000000000000000000000000000000000000000000000\ 00000000000000000000000000000000000000000000000000000000000000000000\ 00000000000000000000000000000000000000000000000000000000000000000000\ 00000000000000000000000000000000000000000000000000000000000000000000\ 00000000000000000000000000000000000000000000000000000000000000000009 (add -nolock for XFree86, change X to whatever name your Xserver has) Vulnerable Xserver will crash (Segmentation fault). (Note: machines immunized against stack smashing--e.g. Linux boxes with Solar Designer's kernel patch--are probably not vulnerable.) Quick fix: * remove setuid/setgid bit from all installed Xservers * use xdm or a safe setuid wrapper to start Xserver Details: X11R6.x Xserver recognizes a runtime argument specifying the desired display (e.g. X :1). It accepts ANY value regardless of its length and contents (save from the initial colon). Excerpt from xc/programs/Xserver/os/access.c (X11R6.3) /* Reset access control list to initial hosts */ void ResetHosts (display) char *display; { register HOST *host; char lhostname[120], ohostname[120]; char *hostname = ohostname; char fname[100]; [snip] strcpy (fname, "/etc/X"); strcat (fname, display); strcat (fname, ".hosts"); if (fd = fopen (fname, "r")) [snip] } Xserver calls ResetHosts() during its startup. A very long value of "display" (100 + 2*120 + delta bytes) overflows "fname" and corrupts the stack. An actual exploit is left as an exercise for the reader. :) There are probably other vulnerable places in Xserver code. (I have spotted another buffer overrun in LockServer() (os/utils.c, XFree86 specific) but this one seems to be benign.) Anyone willing to pay me big bucks for an exhaustive audit is welcome. :) --Pavel Kankovsky aka Peak (troja.mff.cuni.cz network administration) [ Boycott Microsoft -- http://www.vcnet.com/bms ]
Current thread:
- Correction: CPSN 9:971208: Solaris /var Permission Problems MATTHEW POTTER (Jan 13)
- Xserver stack smashed Pavel Kankovsky (Jan 13)
- Re: Xserver stack smashed M Shariful Anam (Jan 14)
- DoS attack: apache (& other) .htaccess Authentication jan () WEDEKIND DE (Jan 14)
- Re: DoS attack: apache (& other) .htaccess Authentication Marc Slemko (Jan 14)
- Re: DoS attack: apache (& other) .htaccess Authentication Tim Newsham (Jan 15)
- Re: DoS attack: apache (& other) .htaccess Authentication Dustin Sallings (Jan 15)
- Re: DoS attack: apache (& other) .htaccess Authentication Casper Dik (Jan 16)
- pbomb'ing SSH on a FreeBSD box. Jeff Johnson (Jan 15)
- Re: pbomb'ing SSH on a FreeBSD box. FrontLine Assembly (Jan 17)
- Re: DoS attack: apache (& other) .htaccess Authentication Dean Gaudet (Jan 16)
- Re: GCC 2.7.? /tmp files dichro-bugtraq () RCPT TO (Jan 17)
- Xserver stack smashed Pavel Kankovsky (Jan 13)