Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in libXcursor , is it exploitable?

From: gr00vy <groovy2600 () yahoo com ar>
Date: 08 Nov 2003 22:23:35 -0300
INTRO:
------------------------------------------------------------------
off-by-one bug in libXcursor that shows up when $HOME does not start
with a '/'.     

THE QUESTION:
------------------------------------------------------------------
Could this bug compromise a system? In what cases?

TEST:
------------------------------------------------------------------
root@zencracking:/root# HOME=%n%n%n%n%n%n
root@zencracking:/root# xterm << not necessary xterm, any program   
that uses libxcursor will sigsev
Segmentation fault
root@zencracking:/root# gdb xterm
(gdb) r
Starting program: /root/xterm-181/xterm

Program received signal SIGSEGV, Segmentation fault.
0x4026e5bd in _int_malloc () from /lib/libc.so.6
(gdb) bt
#0  0x4026e5bd in _int_malloc () from /lib/libc.so.6
#1  0x4026d6b5 in malloc () from /lib/libc.so.6
#2  0x4025c003 in __fopen_internal () from /lib/libc.so.6
#3  0x4025c0ce in fopen@@GLIBC_2.1 () from /lib/libc.so.6
#4  0x4001e47a in XcursorFilenameSave () from
/usr/X11R6/lib/libXcursor.so.1
#5  0x4001e616 in XcursorLibraryLoadImages () from
/usr/X11R6/lib/libXcursor.so.1
#6  0x4001e824 in XcursorShapeLoadImages () from
/usr/X11R6/lib/libXcursor.so.1
#7  0x4001eb6e in XcursorTryShapeCursor () from
/usr/X11R6/lib/libXcursor.so.1
#8  0x4012d628 in _XTryShapeCursor () from usr/X11R6/lib/libX11.so.6
#9  0x4012d9e9 in XCreateGlyphCursor () from usr/X11R6/lib/libX11.so.6
#10 0x4012de59 in XCreateFontCursor () from usr/X11R6/lib/libX11.so.6
#11 0x0805f3ce in make_colored_cursor (cursorindex=68, fg=0,
bg=16777215) at misc.c:216
#12 0x0805b578 in get_terminal () at main.c:2467
#13 0x0805b019 in main (argc=0, argv=0xbffff9e8) at main.c:2111
#14 0x4020dbb4 in __libc_start_main () from /lib/libc.so.6
(gdb) i r
eax            0x808e780        134801280
ecx            0x40327300       1077048064
edx            0x40327354       1077048148
ebx            0x40326234       1077043764
esp            0xbffff650       0xbffff650
ebp            0xbffff688       0xbffff688
esi            0x0      0
edi            0x0      0
eip            0x4026e5bd       0x4026e5bd
eflags         0x10206  66054
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1

Regards

THE FIX BY David Dawes <dawes () x-oz com>:
-----------------------------------------------------------

Index: xc/lib/Xcursor/library.c
===================================================================
RCS file: /home/x-cvs/xc/lib/Xcursor/library.c,v
retrieving revision 1.2
diff -u -r1.2 library.c
--- library.c   26 Jan 2003 03:22:42 -0000      1.2
+++ library.c   7 Nov 2003 17:48:21 -0000
@@ -101,6 +101,9 @@
        if (!home)
            return 0;
        homelen = strlen (home);
+       /* A '/' gets prepended if $HOME doesn't start with one. */
+       if (home[0] != '/')
+           homelen++;
        dir++;
        dirlen--;
     }

-------BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD+MWD0RBAD0zsMD23euntPmXJScQ6aqId4s6SGHw5FdcgSdxM2rRo1/HJ10
yZhApRGKCbnM/RW8P1+pIKlKBvSIp9wmeIgikz4KGmzGIfuhaHwzVOTEBmY3PBqn
Q73LLC+tsUPRDDuEQY5OmtbiukRmCBWFezAzFOmD3RhbgjtkGXP3nCfKbwCgnMDh
/cBR9cMJDJSBnt+s3odafjMD/io6JbwCL7s3EUjU/QtNI3Zwflm/biPjMu0++wIb
IEtfTLKiAKWGpnoIVjPe8bH6uQgbp4n8G1fFkkvlmvXc2Yz012MFLJyyJLRLg4L1
ZG72ExhGz54D3GV9t5VqG9IsNfDSYrH/GC6zE6N2jRFL/e6K/sg82zZqBGRpkmdM
48xyBACuNgIWtPpaMdM+WeC7nh6+j5E5eT+x1RinDHGH95y4gpKBhBr/Yc4nQvh5
e07wHHO4iWuTrnCbxEaKFOk1iTY3b1eZXZvcdJPiyq2nfp7OoRs69JZ40HQSA+aF
O60rlEh8UgnD3fDD9/JzxW3iAdDPk8BLuoAC1Qdt1qpbhv0UkrQ1Z3IwMHZ5ICha
ZW5DcmFja2luZy5jb20uYXIpIDxncm9vdnkyNjAwQHlhaG9vLmNvbS5hcj6IWQQT
EQIAGQUCP4xYPQQLBwMCAxUCAwMWAgECHgECF4AACgkQTKxJeVJCmvAmrwCfZSL3
bx1vyW4pTNwyez0fdOJmQ+EAoIOUDo0aO9LdfpruyrTzvkQaOlnSuQENBD+MWD4Q
BADcytQOgY+pPtQdgKTn53VIEOzyagqNdfd3ei0K+TIEl9x9rdOwYWn5bf8m6QIn
EgWi9+cvvXIl7+ziHUOCyx/BmB3bNQ9TSIlrpx+S42BJvTAJEb0hTDn6FkeupBea
edxCyt25hJjb0NoMhn32kDiWIEGqh16Tt+h0W6MbFVDilwADBQQAmY+DT5cx6u9Y
urffLDVq2/FHUncJQ5jIZy+ThqRWG+DBg46UzGqSIZzXhyB49k1EBgTPA8d8rJML
fLnre1ccRvzo++VR6iIEAX5ur2mosM2SCePbJ4yTugkFPGt7dfgnQnWhNMO8GMYo
x0HyN+VM72VmqEKG+k7c5cVZ8GvEH4uIRgQYEQIABgUCP4xYPgAKCRBMrEl5UkKa
8ILrAJoCQOtCNlNOdbImuMTLu8hN9GHgiACgkQZQTHy1ielq23Vyl0A5Vy98bkQ=
=LiOi
-----END PGP PUBLIC KEY BLOCK-----
Previous By Date Next
Previous By Thread Next

Current thread: