Bugtraq mailing list archives

Re: Xserver stack smashed -- wrapper

From: crosby () QWE0 MATH CMU EDU (Scott A Crosby)
Date: Thu, 15 Jan 1998 02:46:36 -0500


On Wed, 14 Jan 1998, Cotfas Vladimir-Marian wrote:

[snip]


Here's a wrapper for this bug and for the older XF86 security vulnerability
(i.e. XF86_XX -config /etc/shadow)

Vladimir

----------------------------cut from here-------------------------------
/*
  Description: X server wrapper

  Goals:
   1. wrap the "-config" security vulnerabillity
   2. wrap the :000000000000...00000000000000009 potential buffer overflow


I would add in a check for a singular arg > some maximum length:

It would also be a good idea to clean the environment before invoking
the Xserver. (left as an excercise for the reader)

Scott Crosby


----------------------------cut from here-------------------------------

--- x1.c        Thu Jan 15 02:25:26 1998
+++ x2.c        Thu Jan 15 02:40:59 1998
@@ -39,6 +39,7 @@
 */
 #define _DEBUG
 #define SIZE 1024
+#define MAX_LEN 240

 /* guaranteed filled with NULLs by UNIX */
 char* args[SIZE];
@@ -75,6 +76,11 @@
          syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n",
                  i, pass->pw_name);
          i++;
+         continue;
+      }
+      if(strlen(argv[i]) >= MAX_LEN){
+         syslog(LOG_NOTICE, "too long arg at #%d user %s \n", i, pass->pw_name);
+        i++;
          continue;
       }
       if(argsCount >= SIZE){

Current thread:

Re: Xserver stack smashed -- wrapper Cotfas Vladimir-Marian (Jan 14)
- Re: Xserver stack smashed -- wrapper Scott A Crosby (Jan 14)
- <Possible follow-ups>
- Re: Xserver stack smashed -- wrapper John Goerzen (Jan 14)