Bugtraq mailing list archives
Re: Xserver stack smashed -- wrapper
From: crosby () QWE0 MATH CMU EDU (Scott A Crosby)
Date: Thu, 15 Jan 1998 02:46:36 -0500
On Wed, 14 Jan 1998, Cotfas Vladimir-Marian wrote: [snip]
Here's a wrapper for this bug and for the older XF86 security vulnerability (i.e. XF86_XX -config /etc/shadow) Vladimir ----------------------------cut from here------------------------------- /* Description: X server wrapper Goals: 1. wrap the "-config" security vulnerabillity 2. wrap the :000000000000...00000000000000009 potential buffer overflow
I would add in a check for a singular arg > some maximum length: It would also be a good idea to clean the environment before invoking the Xserver. (left as an excercise for the reader) Scott Crosby ----------------------------cut from here------------------------------- --- x1.c Thu Jan 15 02:25:26 1998 +++ x2.c Thu Jan 15 02:40:59 1998 @@ -39,6 +39,7 @@ */ #define _DEBUG #define SIZE 1024 +#define MAX_LEN 240 /* guaranteed filled with NULLs by UNIX */ char* args[SIZE]; @@ -75,6 +76,11 @@ syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n", i, pass->pw_name); i++; + continue; + } + if(strlen(argv[i]) >= MAX_LEN){ + syslog(LOG_NOTICE, "too long arg at #%d user %s \n", i, pass->pw_name); + i++; continue; } if(argsCount >= SIZE){
Current thread:
- Re: Xserver stack smashed -- wrapper Cotfas Vladimir-Marian (Jan 14)
- Re: Xserver stack smashed -- wrapper Scott A Crosby (Jan 14)
- <Possible follow-ups>
- Re: Xserver stack smashed -- wrapper John Goerzen (Jan 14)