Bugtraq mailing list archives
libX11 overflow continued....
From: hedley () CS BRIS AC UK (David Hedley)
Date: Fri, 30 May 1997 00:21:12 +0100
I would just like to sound a word of warning to people using wrappers to protect suid X programs linked against the bugged libX11. You are not safe from attack. X resources can be specified in a number of manners, only one of which involves command line parameters. One way of specifing resources is via an applications default file (usually found in <xroot>/lib/X11/app-defaults). This directory is normally non-writable by users, however users can specify their own application files to be read (and indeed change the default location of the app-defaults directory via the XAPPLRESDIR environment variable). Data in these files is read in at run time and passed through the same GetDatabase function call which contains the buffer overflow bug. Malicious users can therefore hide buffer overflow exploit code in such a file and therefore obviate the need for the code to be in command line arguments (or indeed an environment variable). This effectively renders wrappers useless against this form of attack. You can test this yourself by creating a file full of some character (say 'x's) of a reasonable length (say 20k long) called 'XTerm' in your home directory (capitals are important). Set the environment variable XAPPLRESDIR to be your home directory (you will only have to do this if it is already pointing somewhere else, or you have set some of the other X resource enviroment variables like XUSERFILESEARCHPATH), and then run xterm. xterm will then segmentation fault/bus error etc. Either that or compile and run the short C program at the end of this message which does the same thing... The only solution I can see (until a bug fix comes along) is to chmod u-s every suid file linked against libX11 Regards, David p.s. all the references to Solaris 5.5.1 in my post the other day should of course have been Solaris 2.5.1 (or SunoS 5.5.1). p.p.s. looks like AUSCERT are putting something together on this so (fingers crossed) there will be vendor patches soon.... -- David Hedley (hedley () cs bris ac uk) finger hedley () cs bris ac uk for PGP key Computer Graphics Group | University of Bristol | UK /* crash_xterm.c by DCRH 29/5/97. * * You may or may not need your DISPLAY set up correctly for this to * work - depends on the platform. * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> void main(void) { char *filename, *resdir, *home; int i, len; FILE *fp; home = getenv("HOME"); if (!home) exit(2); len = strlen(home); /* No buffer overflows here sir! */ filename = malloc(len + 7); sprintf(filename, "%s/XTerm", home); resdir = malloc(len + 13); sprintf(resdir,"XAPPLRESDIR=%s", home); putenv(resdir); if ((fp = fopen(filename, "w")) == NULL) exit(1); for (i = 0; i < 20000; i++) fputc('x', fp); fclose(fp); printf("Running xterm....\n"); execlp("xterm", "xterm", 0); perror("exec failed"); }
Current thread:
- libX11 overflow continued.... David Hedley (May 29)
- Re: libX11 overflow continued.... Lamont Granquist (May 30)
- Re: libX11 overflow continued.... David Hedley (May 30)
- Re: libX11 overflow continued.... Roman Maeder (May 30)
- Re: libX11 overflow continued.... David Hedley (May 30)
- NIS+, Solaris 2.5.1 Anonymous (May 30)
- Re: NIS+, Solaris 2.5.1 Casper Dik (May 30)
- Re: libX11 overflow continued.... Lamont Granquist (May 30)