Bugtraq mailing list archives
Security Problems in XMCD 2.1
From: davem () iss net (David J. Meltzer)
Date: Tue, 26 Nov 1996 13:06:15 -0500
This is to announce that XMCD 2.1 patchlevel 0 has been released which fixes all of the issues previously raised by David Meltzer. It also contains a number of other minor feature and functionality enhancements.
I have obtained the 2.1 release of XMCD and through a cursory examination of the code have uncovered another buffer overflow problem that appear to be exploitable to gain root access on the system. I have not verified that the hole is exploitable, although it definitely exists. As I stated before, if you remove the suid bit from xmcd, then you do not have to worry about upgrading other than for the new features that have been added, whether you can still function xmcd without the suid bit varies depending on your system. I have a limited amount of time I can spend in examining source code, and I apologize I am unable to find every potential hole in programs I examine. I can provide no assurance that there are not additional security holes in xmcd due to the limited nature of my examination of the code; to provide some level of assurance would take a far more detailed examination that I simply can not devote the time to achieve for a non-critical piece of code such as xmcd. The offending line of code is in cdfunc.c in the cd_init() function: sprintf(titlestr, "%s %d", app_data.main_title, app_data.devnum); The titlestr is defined to be char titlestr[STR_BUF_SZ]. The string app_data.main_title is read from the XMcd resource file which will be read from a user's home directory. A user can then modify the XMcd*mainWindowTitle resource to an arbitrary length string. Questions regarding XMCD should be sent to the maintainer at xmcd () amb org. Questions to CERT regarding this problem should be sent to cert () cert org referencing INFO#96.25542. Program: xmcd 2.1 (and previous versions) Affected Operating Systems: All with xmcd installed suid root Requirements: account on system Patch: chmod -s xmcd Security Compromise: root Reported By: David J. Meltzer (davem () iss net) Synopsis: A buffer overflow in the XMcd*mainWindowTitle resource allows a user to overwrite the contents of the stack and execute arbitrary code as root. <Tue | 12:53> [sn0p:davem] ~ >which xmcd /usr/X11/bin/xmcd <Tue | 12:53> [sn0p:davem] ~ >ls -l /usr/X11/bin/xmcd -rws--x--x 1 root bin 1048484 Nov 26 12:21 /usr/X11/bin/xmcd <Tue | 12:53> [sn0p:davem] ~ >echo 'XMcd*mainWindowTitle: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' > XMcd <Tue | 12:54> [sn0p:davem] ~ >xmcd Segmentation fault <Tue | 12:54> [sn0p:davem] ~ > --------------------------------+--------------------- David J. Meltzer | Email: davem () iss net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (770)395-1972
Current thread:
- A Stupid script., (continued)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)
- Re: Digital FW2.0 question Alan Cox (Nov 27)
- Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
- XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
- Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)
- Re: Security Problems in XMCD 2.1 Theo Van Dinter (Nov 26)
- Re: Security Problems in XMCD 2.1 Jim Dennis (Nov 26)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)
- A security issue of a different kind. Alan Brown (Nov 26)
- BOOTP/DHCP security itudps (Nov 26)
- Re: BOOTP/DHCP security Alan Cox (Nov 27)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)