Problems with: xcdroast, gatos, xkobo, xbill, iagno, ++

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

The author posted this message to BUGTRAQ but failed to determine
whether any of these problems are exploitable. I am forwarding it
to VULN-DEV for discussion. If you find any of this programs
exploitable please forward the information to BUGTRAQ.

Message-ID: <386403378.960655689985.JavaMail.root () web313-mc mail com>
Date: Sat, 10 Jun 2000 12:48:09 -0400 (EDT)
From: teleh0r - <teleh0r () doglover com>
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Problems with: xcdroast, gatos, xkobo, xbill, iagno, ++

----------------------------------------------------------------
- A result of too much time - <teleh0r () doglover com> anno 2000 -
----------------------------------------------------------------

xcdroast Version 0.96e
========================

Comes with Mandrake 7.0, (others?) I am not sure about earlier
distribusions.

It is installed setuid root. If the setuid bit is removed you
will be told that the program cannot run without root-permissions.

It segfaults constantly.
The xcdroast package contains about 137 strcpy ;-).

[teleh0r@localhost teleh0r]$ export DISPLAY=ABC
[teleh0r@localhost teleh0r]$ xcdroast
Segmentation fault

[teleh0r@localhost teleh0r]$ xcdroast -display X
Segmentation fault

Description:

X-CD-Roast provides a GUI
interface for commands like cdrecord and mkisofs. X-CD-Roast includes a
self-explanatory X11 user interface, automatic SCSI and IDE hardware
setup, support for mastering of new ISO9660 data CDs, support for
production of new audio CDs, fast copying of CDs without hard disk
buffering, and a logfile option.

gatos Version 0.0.5_pre
=========================

Comes with Mandrake 7.0, (others?) I am not sure about earlier
distribusions.

Description:
GATOS (General ATI TV and Overlay Software): ATI-TV for GNU/Linux.
See http://cvs.core.binghamton.edu/~insomnia/gatos/ for
full information.

[teleh0r@localhost teleh0r]$ atitv -c 31337
Shared memory segment exists - opening as client
Stale lock on WRITE_BUFFER
GATOS: No ATI PCI/AGP Cards ?
GATOS: gatos_inita(): Invalid argument
Segmentation fault
[teleh0r@localhost teleh0r]$

xkobo Version 1.11
====================

Comes with Mandrake 7.0, (others?) I am not sure about earlier
distribusions.

Description:
Xkobo is an arcade video game for X11. The goal is to
destroy the enemy bases. But the enemy will fire at
you and send fighter spacecrafts to get you. You'll
have hours and hours of fun with this game.

[teleh0r@localhost teleh0r]$ xkobo -display
Segmentation fault
[teleh0r@localhost teleh0r]$

xbill Version 2.0
===================

Comes with a lot of different distributions. Great game!

[teleh0r@localhost teleh0r]$ xbill -L `perl -e '{print "1"x"10000"}'`
Segmentation fault
[teleh0r@localhost teleh0r]$

Gnome iagno 1.0.51
====================

Comes with Mandrake 7.0, (others?) I am not sure about earlier
distribusions.

[teleh0r@localhost teleh0r]$ ls -la /usr/bin/iagno
-r-xr-s--x    1 root     games       48316 Feb 10  2000 /usr/bin/iagno*

[teleh0r@localhost bin]$ ./iagno --ior `perl -e '{print "x"x"10000"}'`
(Try it...)

-------------------------------------------------------------------------

Ah, two more things.

There seems to be a buffer owerflow in the /usr/X11R6/lib/libX11.so.6
library.
export DISPLAY=:000000000000000000... (a few more of those)
<run an X-based program>

isdn-config on Redhat 6.2 (great utility, btw) stores passwords in
plain text in /etc/sysconfig/provider/conf-foobar

Of course, only root can read it, but if there were to be a new
root-exploit... I think it has happened in the past?

Seriously, passwords should NEVER be stored in plain text - it should be
know
by now.

...to be paranoid is just to accept the truth...
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup