Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ubuntu 10.04 xterm heap overflow,can it be exploit ?

From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 13 Oct 2010 10:22:25 -0400
This has already been made public:
http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076294.html

On Ubuntu, xterm is setgid utmp, which might make it an interesting
target for local attacks.  However, you'll need to check if it's
already dropped group utmp privileges by the time this overflow
happens.  In either case, glibc heap protection probably makes this
very difficult or impossible to exploit anyway.

-Dan

On Sun, Oct 10, 2010 at 11:07 PM, watercloud watercloud
<watercloud () xfocus org> wrote:

Hi,all !
I find xterm on ubuntu 10.04 have a local heap overflow,
I don't known  that can it be exploit on glibc 2.11 .


detail :

watercloud@ubuntu:~/Downloads$ ls -l `which xterm`
-rwxr-sr-x 1 root utmp 354444 2010-03-31 17:47 /usr/bin/xterm

watercloud@ubuntu:~/Downloads$ xterm -fb `perl -e 'print "A"x4000'`
*** glibc detected *** xterm: munmap_chunk(): invalid pointer: 0x080bd314 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x243591]
/lib/tls/i686/cmov/libc.so.6(+0x6c80e)[0x24480e]
xterm[0x8062c70]
xterm[0x8064b34]
xterm[0x805515d]
/usr/lib/libXt.so.6(+0x23e30)[0x4a2e30]
/usr/lib/libXt.so.6(+0x23fb5)[0x4a2fb5]
/usr/lib/libXt.so.6(XtRealizeWidget+0x9d)[0x4a325d]
xterm[0x8058176]
xterm[0x8069a08]
xterm[0x806bf78]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x1eebd6]
xterm[0x804d6a1]
======= Memory map: ========
00110000-0012b000 r-xp 00000000 08:01 147        /lib/ld-2.11.1.so
0012b000-0012c000 r--p 0001a000 08:01 147        /lib/ld-2.11.1.so
0012c000-0012d000 rw-p 0001b000 08:01 147        /lib/ld-2.11.1.so
0012d000-0012e000 r-xp 00000000 00:00 0          [vdso]
0012e000-00140000 r-xp 00000000 08:01 4191       /usr/lib/libXft.so.2.1.13
00140000-00141000 r--p 00011000 08:01 4191       /usr/lib/libXft.so.2.1.13
00141000-00142000 rw-p 00012000 08:01 4191       /usr/lib/libXft.so.2.1.13
00142000-00198000 r-xp 00000000 08:01 2715       /usr/lib/libXaw7.so.7.0.0
00198000-00199000 r--p 00055000 08:01 2715       /usr/lib/libXaw7.so.7.0.0
00199000-0019f000 rw-p 00056000 08:01 2715       /usr/lib/libXaw7.so.7.0.0
0019f000-001a0000 rw-p 00000000 00:00 0
001a0000-001d4000 r-xp 00000000 08:01 4408       /lib/libncurses.so.5.7
001d4000-001d5000 ---p 00034000 08:01 4408       /lib/libncurses.so.5.7
001d5000-001d7000 r--p 00034000 08:01 4408       /lib/libncurses.so.5.7
001d7000-001d8000 rw-p 00036000 08:01 4408       /lib/libncurses.so.5.7
001d8000-0032b000 r-xp 00000000 08:01 1050745
/lib/tls/i686/cmov/libc-2.11.1.so
0032b000-0032c000 ---p 00153000 08:01 1050745
/lib/tls/i686/cmov/libc-2.11.1.so
0032c000-0032e000 r--p 00153000 08:01 1050745
/lib/tls/i686/cmov/libc-2.11.1.so
0032e000-0032f000 rw-p 00155000 08:01 1050745
/lib/tls/i686/cmov/libc-2.11.1.so
0032f000-00332000 rw-p 00000000 00:00 0
00332000-00360000 r-xp 00000000 08:01 850        /usr/lib/libfontconfig.so.1.4.4
00360000-00361000 r--p 0002d000 08:01 850        /usr/lib/libfontconfig.so.1.4.4
00361000-00362000 rw-p 0002e000 08:01 850        /usr/lib/libfontconfig.so.1.4.4
00362000-0047b000 r-xp 00000000 08:01 4046       /usr/lib/libX11.so.6.3.0
0047b000-0047c000 r--p 00118000 08:01 4046       /usr/lib/libX11.so.6.3.0
0047c000-0047e000 rw-p 00119000 08:01 4046       /usr/lib/libX11.so.6.3.0
0047e000-0047f000 rw-p 00000000 00:00 0
0047f000-004ce000 r-xp 00000000 08:01 3718       /usr/lib/libXt.so.6.0.0
004ce000-004cf000 r--p 0004e000 08:01 3718       /usr/lib/libXt.so.6.0.0
004cf000-004d2000 rw-p 0004f000 08:01 3718       /usr/lib/libXt.so.6.0.0
004d2000-004e7000 r-xp 00000000 08:01 2723       /usr/lib/libXmu.so.6.2.0
004e7000-004e8000 r--p 00014000 08:01 2723       /usr/lib/libXmu.so.6.2.0
004e8000-004e9000 rw-p 00015000 08:01 2723       /usr/lib/libXmu.so.6.2.0
004e9000-004fe000 r-xp 00000000 08:01 4016       /usr/lib/libICE.so.6.3.0
004fe000-004ff000 r--p 00014000 08:01 4016       /usr/lib/libICE.so.6.3.0
004ff000-00500000 rw-p 00015000 08:01 4016       /usr/lib/libICE.so.6.3.0
00500000-00502000 rw-p 00000000 00:00 0
00502000-00573000 r-xp 00000000 08:01 2033       /usr/lib/libfreetype.so.6.3.22
00573000-00577000 r--p 00070000 08:01 2033       /usr/lib/libfreetype.so.6.3.22
00577000-00578000 rw-p 00074000 08:01 2033       /usr/lib/libfreetype.so.6.3.22
00578000-00580000 r-xp 00000000 08:01 4050       /usr/lib/libXrender.so.1.3.0
00580000-00581000 r--p 00007000 08:01 4050       /usr/lib/libXrender.so.1.3.0
00581000-00582000 rw-p 00008000 08:01 4050       /usr/lib/libXrender.so.1.3.0
00582000-00590000 r-xp 00000000 08:01 4091       /usr/lib/libXext.so.6.4.0
00590000-00591000 r--p 0000d000 08:01 4091       /usr/lib/libXext.so.6.4.0
00591000-00592000 rw-p 0000e000 08:01 4091       /usr/lib/libXext.so.6.4.0
00592000-005a1000 r-xp 00000000 08:01 2709       /usr/lib/libXpm.so.4.11.0
005a1000-005a2000 r--p 0000e000 08:01 2709       /usr/lib/libXpm.so.4.11.0
005a2000-005a3000 rw-p 0000f000 08:01 2709       /usr/lib/libXpm.so.4.11.0
005a3000-005a5000 r-xp 00000000 08:01 1053685
/lib/tls/i686/cmov/libdl-2.11.1.so
005a5000-005a6000 r--p 00001000 08:01 1053685
/lib/tls/i686/cmov/libdl-2.11.1.so
005a6000-005a7000 rw-p 00002000 08:01 1053685
/lib/tls/i686/cmov/libdl-2.11.1.so
005a7000-005ba000 r-xp 00000000 08:01 4125       /lib/libz.so.1.2.3.3
005ba000-005bb000 r--p 00012000 08:01 4125       /lib/libz.so.1.2.3.3
005bb000-005bc000 rw-p 00013000 08:01 4125       /lib/libz.so.1.2.3.3
005bc000-005e0000 r-xp 00000000 08:01 90         /lib/libexpat.so.1.5.2
005e0000-005e2000 r--p 00024000 08:01 90         /lib/libexpat.so.1.5.2
005e2000-005e3000 rw-p 00026000 08:01 90         /lib/libexpat.so.1.5.2
005e3000-005fb000 r-xp 00000000 08:01 4032       /usr/lib/libxcb.so.1.1.0
005fb000-005fc000 r--p 00017000 08:01 4032       /usr/lib/libxcb.so.1.1.0
005fc000-005fd000 rw-p 00018000 08:01 4032       /usr/lib/libxcb.so.1.1.0
005fd000-00604000 r-xp 00000000 08:01 44         /usr/lib/libSM.so.6.0.1
00604000-00605000 r--p 00006000 08:01 44         /usr/lib/libSM.so.6.0.1
00605000-00606000 rw-p 00007000 08:01 44         /usr/lib/libSM.so.6.0.1
00606000-00608000 r-xp 00000000 08:01 2195       /usr/lib/libXau.so.6.0.0
00608000-00609000 r--p 00001000 08:01 2195       /usr/lib/libXau.so.6.0.0
00609000-0060a000 rw-p 00002000 08:01 2195       /usr/lib/libXau.so.6.0.0
0060a000-0060e000 r-xp 00000000 08:01 3970       /usr/lib/libXdmcp.so.6.0.0
0060e000-0060f000 r--p 00003000 08:01 3970       /usr/lib/libXdmcp.so.6.0.0
0060f000-00610000 rw-p 00004000 08:01 3970       /usr/lib/libXdmcp.so.6.0.0
00610000-00613000 r-xp 00000000 08:01 811        /lib/libuuid.so.1.3.0
00613000-00614000 r--p 00002000 08:01 811        /lib/libuuid.so.1.3.0
00614000-00615000 rw-p 00003000 08:01 811        /lib/libuuid.so.1.3.0
00615000-0061d000 r-xp 00000000 08:01 3644       /usr/lib/libXcursor.so.1.0.2
0061d000-0061e000 r--p 00007000 08:01 3644       /usr/lib/libXcursor.so.1.0.2
0061e000-0061f000 rw-p 00008000 08:01 3644       /usr/lib/libXcursor.so.1.0.2
0061f000-00623000 r-xp 00000000 08:01 4112       /usr/lib/libXfixes.so.3.1.0
00623000-00624000 r--p 00003000 08:01 4112       /usr/lib/libXfixes.so.3.1.0
00624000-00625000 rw-p 00004000 08:01 4112       /usr/lib/libXfixes.so.3.1.0
00625000-00642000 r-xp 00000000 08:01 1463       /lib/libgcc_s.so.1
00642000-00643000 r--p 0001c000 08:01 1463       /lib/libgcc_s.so.1
00643000-00644000 rw-p 0001d000 08:01 1463       /lib/libgcc_s.so.1
08048000-08099000 r-xp 00000000 08:01 2848       /usr/bin/xterm
08099000-0809a000 r--p 00050000 08:01 2848       /usr/bin/xterm
0809a000-080a0000 rw-p 00051000 08:01 2848       /usr/bin/xterm
080a0000-080e5000 rw-p 00000000 00:00 0          [heap]
b7e4c000-b7e8b000 r--p 00000000 08:01 393224
/usr/lib/locale/zh_CN.utf8/LC_CTYPE
b7e8b000-b7fdd000 r--p 00000000 08:01 393276
/usr/lib/locale/zh_CN.utf8/LC_COLLATE
Previous By Date Next
Previous By Thread Next

Current thread: