Bugtraq mailing list archives
Re: XFree86 server overflow
From: okir () CALDERA DE (Olaf Kirch)
Date: Mon, 17 Apr 2000 10:52:40 +0200
On Sun, Apr 16, 2000 at 06:54:41PM +0200, Michal Zalewski wrote:
XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no matter it's setuid, or called from setuid Xwrapper - works in both cases, seems to me Xwrapper in default RH 6.x distro is rather dumb ;)
I don't know what Redhat uses for their Xwrapper, but here's the code from vanilla XFree3.3.6 (xc/programs/Xserver/os/wrapper.c), slightly paraphrased: #define MAX_ARG_LENGTH 128 if (!bad && geteuid() == 0 && getuid() != geteuid()) { for (i = 1; i < argc; i++) { ... if (strlen(argv[i]) > MAX_ARG_LENGTH) { bad = ArgTooLong; break; } ... } } It appears that this vulnerability requires you to have uid 0 in order to exploit it... Olaf PS: The current XFree4.0 snapshot comes without Xwrapper, supposedly because it Does Things Right[TM]. -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Current thread:
- more problems with that POS dansie cart software!, (continued)
- more problems with that POS dansie cart software! tombow (Apr 14)
- Re: more problems with that POS dansie cart software! Randy Janinda (Apr 14)
- nmh-1.0.4 released Dan Harkless (Apr 14)
- xfs Michal Zalewski (Apr 16)
- StarOffice 5.1 Michal Zalewski (Apr 16)
- XFree86 server overflow Michal Zalewski (Apr 16)
- XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
- Reappearance of an old IE security bug Ben Mesander (Apr 16)
- Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
- Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
- Re: XFree86 server overflow Olaf Kirch (Apr 17)
- Re: XFree86 server overflow Valentin Pavlov (Apr 17)
- Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
- Re: XFree86 server overflow Paweł Sakowski (Apr 17)
- RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- more problems with that POS dansie cart software! tombow (Apr 14)