Bugtraq mailing list archives
Re: Vulnerability in the Xt library
From: mcn () remise ORG (Mike Neuman)
Date: Wed, 28 Aug 1996 00:05:53 -0600
There exists at least one vulnerability in the Xt library caused by a buffer overrun that allows arbitrary code to be executed. The vulnerability has been confirmed under FreeBSD, Solaris, and as far as we can tell every single other OS running all revisions of X11.
Are you talking about Solaris X86? I don't think Sparc Solaris (or SunOS) is vulnerable to this particular attack (out of sheer luck, not out of any great defensive programming skills on the part of SUN/X Consortium). The "problem" with this exploit is the following... (taken from x11r6.1 src) _XtDefaultWarningMsg() is defined as follows: void _XtDefaultWarningMsg (lots of params...) { char buffer[1000], message[1000]; ... sprintf(message, buffer, ...); ... } Both Sun's compiler and gcc allocate the stack as follows: %fp - 2008 == message %fp - 1008 == buffer At the call to sprintf(), 'buffer' contains something like "Invalid color: %s\0", and 'message' is the thing we're going to overflow. If we overflow 'message' to overwrite the return addr, we *ALSO* overwrite 'buffer'. As a result, the formatting string for sprintf is completely obliterated, which forces _doprnt() to segfault (as there's no termination for its formatting string). The only way to exploit this is if we could somehow stick a '\0' in the middle of 'buffer'. Unfortunately, in order to load the exploit on the command line, the executable stuff needs to be devoid of nulls, which rules this out. Is there another possibility? _doprint will *ONLY* stop writing to 'message' if 'buffer' contains a NULL. Unless I'm missing something, I'd assert that this particular vulnerability (the xterm -fg overflow, or *ANY* buffer overflow that tickles the _XtDefaultMsg() sprintf) doesn't work on any machine where the stack grows downward. (Don't take this as though I'm arguing not to fix the bug, I've just been interested in how these things are exploited as of late. Alternatively, if you're looking for humor, I'll simply take the advisory format/style of r00t): -- Fixes? Downgrade from X11 to something so old that it's obnoxious (like Sunview). If that's not a viable option for you, only use systems where the stack grows downward. :-) -Mike mcn () EnGarde com
Current thread:
- Re: BUG in /bin/bash, (continued)
- Re: BUG in /bin/bash Red Barchetta (Aug 22)
- Re: BUG in /bin/bash The Ghost who Admins (Aug 22)
- Re: BUG in /bin/bash Digital Dreamer (Aug 22)
- Re: BUG in /bin/bash Earle Ake (Aug 22)
- IE 3.0? InterAccess Support Manager (Aug 22)
- Re: IE 3.0? Dave Andersen (Aug 23)
- More on the UnixWare problem Todd Vierling (Aug 23)
- resolv+ and finger... C. Hodges (Aug 23)
- Vulnerability in the Xt library Aleph One (Aug 24)
- Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
- Re: Vulnerability in the Xt library Casper Dik (Aug 28)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
- Re: BUG in /bin/bash Red Barchetta (Aug 22)
- RFD: libsuid VaX#n8 (Aug 24)
- More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
- Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
- polyglots (multi-language programs) John Nemeth (Aug 24)