Bugtraq mailing list archives
Re: XFree86 server overflow
From: vpavlov () RILA BG (Valentin Pavlov)
Date: Mon, 17 Apr 2000 12:43:52 +0300
XFree86 4.0.0 does not seem to be vulnerable to this...A look at the sources also proves it. Michal Zalewski wrote:
XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no matter it's setuid, or called from setuid Xwrapper - works in both cases, seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather trivial to exploit :), you'll get beautiful overflow with root privledges in main (Xserver) process... listen to the gdb... Cannot access memory at address 0x41414141. This has been tested both with recent RH6.1/6.2 Xservers (3.3.5/3.3.6), and: XFCom_i810 Version 1.0.0 / X Window System (protocol Version 11, revision 0, vendor release 6300) Release Date: October 13 1999 Btw. while testing this bug, we have noticed strange behaviour of some drivers. For example, in one case we get kernel oops, just like that (linux 2.2.14, XFree86 3.3.6 XF86_S3V): eip: 41414141 eflags: 00013296 eax: 00000000 ebx: 00000000 ecx: 00000bb8 edx: 00000009 esi: bfffe92c edi: 00000400 ebp: 00000000 esp: bfffe464 Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 :) _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Re: more problems with that POS dansie cart software!, (continued)
- Re: more problems with that POS dansie cart software! Randy Janinda (Apr 14)
- nmh-1.0.4 released Dan Harkless (Apr 14)
- xfs Michal Zalewski (Apr 16)
- StarOffice 5.1 Michal Zalewski (Apr 16)
- XFree86 server overflow Michal Zalewski (Apr 16)
- XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
- Reappearance of an old IE security bug Ben Mesander (Apr 16)
- Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
- Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
- Re: XFree86 server overflow Olaf Kirch (Apr 17)
- Re: XFree86 server overflow Valentin Pavlov (Apr 17)
- Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
- Re: XFree86 server overflow Paweł Sakowski (Apr 17)
- RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)