Bugtraq mailing list archives

Re: Vulnerability in the Xt library

From: mcn () remise ORG (Mike Neuman)
Date: Wed, 28 Aug 1996 00:05:53 -0600

There exists at least one vulnerability in the Xt library caused by a buffer
overrun that allows arbitrary code to be executed. The vulnerability has
been confirmed under FreeBSD, Solaris, and as far as we can tell every
single other OS running all revisions of X11.


  Are you talking about Solaris X86? I don't think Sparc Solaris (or SunOS)
is vulnerable to this particular attack (out of sheer luck, not out of any
great defensive programming skills on the part of SUN/X Consortium).

  The "problem" with this exploit is the following... (taken from x11r6.1 src)

  _XtDefaultWarningMsg() is defined as follows:

void _XtDefaultWarningMsg (lots of params...)
{
    char buffer[1000], message[1000];
    ...
    sprintf(message, buffer, ...);
    ...
}

  Both Sun's compiler and gcc allocate the stack as follows:

  %fp - 2008  == message
  %fp - 1008  == buffer

  At the call to sprintf(), 'buffer' contains something like
"Invalid color: %s\0", and 'message' is the thing we're going to overflow.

  If we overflow 'message' to overwrite the return addr, we *ALSO* overwrite
'buffer'. As a result, the formatting string for sprintf is completely
obliterated, which forces _doprnt() to segfault (as there's no termination
for its formatting string).

  The only way to exploit this is if we could somehow stick a '\0' in the
middle of 'buffer'. Unfortunately, in order to load the exploit on the
command line, the executable stuff needs to be devoid of nulls, which rules
this out.

  Is there another possibility? _doprint will *ONLY* stop writing to 'message'
if 'buffer' contains a NULL.

  Unless I'm missing something, I'd assert that this particular vulnerability
(the xterm -fg overflow, or *ANY* buffer overflow that tickles the
_XtDefaultMsg() sprintf) doesn't work on any machine where the stack grows
downward.

  (Don't take this as though I'm arguing not to fix the bug, I've just been
interested in how these things are exploited as of late. Alternatively, if
you're looking for humor, I'll simply take the advisory format/style of
r00t):

-- Fixes?

Downgrade from X11 to something so old that it's obnoxious (like Sunview).
If that's not a viable option for you, only use systems where the stack
grows downward.

 :-)

-Mike
mcn () EnGarde com

Current thread:

Re: BUG in /bin/bash, (continued)
- Re: BUG in /bin/bash Red Barchetta (Aug 22)
  - Re: BUG in /bin/bash The Ghost who Admins (Aug 22)
  - Re: BUG in /bin/bash Digital Dreamer (Aug 22)
  - Re: BUG in /bin/bash Earle Ake (Aug 22)
  - IE 3.0? InterAccess Support Manager (Aug 22)
    - Re: IE 3.0? Dave Andersen (Aug 23)
    - More on the UnixWare problem Todd Vierling (Aug 23)
    - resolv+ and finger... C. Hodges (Aug 23)
    - Vulnerability in the Xt library Aleph One (Aug 24)
    - Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
    - Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
    - Re: Vulnerability in the Xt library Casper Dik (Aug 28)
    - Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
    - RFD: libsuid VaX#n8 (Aug 24)
    - More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
    - Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
    - polyglots (multi-language programs) John Nemeth (Aug 24)
  - Re: BUG in /bin/bash Arthur Hyun (Aug 22)
  - Re: BUG in /bin/bash Brian Clapper (Aug 23)