Bugtraq mailing list archives
Security Problems in XMCD 2.1
From: davem () iss net (David J. Meltzer)
Date: Tue, 26 Nov 1996 13:06:15 -0500
This is to announce that XMCD 2.1 patchlevel 0 has been released which fixes all of the issues previously raised by David Meltzer. It also contains a number of other minor feature and functionality enhancements.
I have obtained the 2.1 release of XMCD and through a cursory
examination of the code have uncovered another buffer overflow problem
that appear to be exploitable to gain root access on the system. I have
not verified that the hole is exploitable, although it definitely exists.
As I stated before, if you remove the suid bit from xmcd, then you do not
have to worry about upgrading other than for the new features that have
been added, whether you can still function xmcd without the suid bit
varies depending on your system.
I have a limited amount of time I can spend in examining source code,
and I apologize I am unable to find every potential hole in programs I
examine. I can provide no assurance that there are not additional
security holes in xmcd due to the limited nature of my examination of the
code; to provide some level of assurance would take a far more detailed
examination that I simply can not devote the time to achieve for a
non-critical piece of code such as xmcd.
The offending line of code is in cdfunc.c in the cd_init() function:
sprintf(titlestr, "%s %d", app_data.main_title, app_data.devnum);
The titlestr is defined to be char titlestr[STR_BUF_SZ]. The string
app_data.main_title is read from the XMcd resource file which will be
read from a user's home directory. A user can then modify the
XMcd*mainWindowTitle resource to an arbitrary length string.
Questions regarding XMCD should be sent to the maintainer at
xmcd () amb org. Questions to CERT regarding this problem should be sent to
cert () cert org referencing INFO#96.25542.
Program: xmcd 2.1 (and previous versions)
Affected Operating Systems: All with xmcd installed suid root
Requirements: account on system
Patch: chmod -s xmcd
Security Compromise: root
Reported By: David J. Meltzer (davem () iss net)
Synopsis: A buffer overflow in the XMcd*mainWindowTitle
resource allows a user to overwrite the
contents of the stack and execute arbitrary
code as root.
<Tue | 12:53> [sn0p:davem] ~ >which xmcd
/usr/X11/bin/xmcd
<Tue | 12:53> [sn0p:davem] ~ >ls -l /usr/X11/bin/xmcd
-rws--x--x 1 root bin 1048484 Nov 26 12:21 /usr/X11/bin/xmcd
<Tue | 12:53> [sn0p:davem] ~ >echo 'XMcd*mainWindowTitle:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' > XMcd
<Tue | 12:54> [sn0p:davem] ~ >xmcd
Segmentation fault
<Tue | 12:54> [sn0p:davem] ~ >
--------------------------------+---------------------
David J. Meltzer | Email: davem () iss net
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (770)395-1972
Current thread:
- A Stupid script., (continued)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)
- Re: Digital FW2.0 question Alan Cox (Nov 27)
- Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
- XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
- Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)
- Re: Security Problems in XMCD 2.1 Theo Van Dinter (Nov 26)
- Re: Security Problems in XMCD 2.1 Jim Dennis (Nov 26)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)
- A security issue of a different kind. Alan Brown (Nov 26)
- BOOTP/DHCP security itudps (Nov 26)
- Re: BOOTP/DHCP security Alan Cox (Nov 27)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)