Bugtraq mailing list archives

Re: XFree86 server overflow

From: okir () CALDERA DE (Olaf Kirch)
Date: Mon, 17 Apr 2000 10:52:40 +0200


On Sun, Apr 16, 2000 at 06:54:41PM +0200, Michal Zalewski wrote:

XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
matter it's setuid, or called from setuid Xwrapper - works in both cases,
seems to me Xwrapper in default RH 6.x distro is rather dumb ;)


I don't know what Redhat uses for their Xwrapper, but here's the
code from vanilla XFree3.3.6 (xc/programs/Xserver/os/wrapper.c),
slightly paraphrased:

        #define MAX_ARG_LENGTH          128

        if (!bad && geteuid() == 0 && getuid() != geteuid()) {
                for (i = 1; i < argc; i++) {
                        ...
                        if (strlen(argv[i]) > MAX_ARG_LENGTH) {
                                bad = ArgTooLong;
                                break;
                        }
                        ...
                }
        }

It appears that this vulnerability requires you to have uid 0
in order to exploit it...

Olaf

PS: The current XFree4.0 snapshot comes without Xwrapper, supposedly
because it Does Things Right[TM].

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Current thread:

more problems with that POS dansie cart software!, (continued)
- more problems with that POS dansie cart software! tombow (Apr 14)
  - Re: more problems with that POS dansie cart software! Randy Janinda (Apr 14)
  - nmh-1.0.4 released Dan Harkless (Apr 14)
  - xfs Michal Zalewski (Apr 16)
  - StarOffice 5.1 Michal Zalewski (Apr 16)
  - XFree86 server overflow Michal Zalewski (Apr 16)
    - XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
    - Reappearance of an old IE security bug Ben Mesander (Apr 16)
    - Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
    - Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
    - Re: XFree86 server overflow Olaf Kirch (Apr 17)
    - Re: XFree86 server overflow Valentin Pavlov (Apr 17)
    - Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
    - Re: XFree86 server overflow Paweł Sakowski (Apr 17)
    - RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
    - response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
    - xfs security issues (fwd) Chris Evans (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)

(Thread continues...)