Bugtraq mailing list archives
Re: Overflow in xlock
From: hedley () CS BRIS AC UK (David Hedley)
Date: Sun, 27 Apr 1997 14:27:08 +0100
"GS" == George Staikos <staikos () 0wned org> writes:
GS> There appears to be an exploitable buffer overflow in xlock, the
GS> X based screensaver/locker. Xlock is installed suid root on
GS> machines with shadowed passwords. I have verified this on xlock
GS> versions on AIX 4.x and Linux (exploit for Linux posted below),
GS> but I cannot determine what version I was using, as xlock does
GS> not seem to contain version information in the binary and I
GS> don't have the original source. The overflow is in the -name
GS> parameter, and it is fixed in xlockmore-4.01, available on
GS> sunsite in /pub/Linux/X11/screensavers/xlockmore-4.01.tgz .
GS> Other platforms have not been checked for this, and while this
GS> is an older version of xlock, many systems seem to come
GS> preloaded with this version. Also, xlock does not need to be
GS> suid root unless it is running on a machine with shadowed
GS> passwords, so another possible fix it chmod u-s xlock.
I mailed CERT at the beginning of this month about the problem with
xlock (VU#14948). I was going to give them a month or so to get a patch
organised before publishing my exploit (for Solaris 2.5.x). As far as I
know, all platforms shipped with xlock are vulnerable to this problem.
xlockmore-4.02 fixes all these problems, including one minor buffer
overflow present in xlockmore-4.01. It is available as
ftp.x.org:/contrib/applications/xlockmore-4.02.tar.gz
The following is taken from my posting to CERT:
[snip]
I have recently discovered a security hole in xlock which allows existing
users to become root. This hole is present on _all_ versions of xlock in
existence to the best of my knowledge. Including Solaris, Irix (5.3 &
6.2), FreeBSD and any other system which has xlock installed suid root.
The problem lies in xlock trusting various bits of the environment and
its command line arguments. Specifically:
$HOME
$XAPPLRESDIR
$XUSERFILESEARCHPATH
$XFILESEARCHPATH
the classname (specified via the -name parameter)
the mode (specified via the -mode parameter)
To see if you are vulnerable, simply do:
xlock -name xxxxxxxxxxxxxxxxxxxxxxxx <insert lots of x's here>
If xlock crashes with a segmentation fault or similar, then you are
vulnerable.
[snip]
David
--
David Hedley (hedley () cs bris ac uk)
finger hedley () cs bris ac uk for PGP key
Computer Graphics Group | University of Bristol | UK
Current thread:
- CPSN 4-970424: Possible buffer overflow in pop3d Corinne Posse (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d George Staikos (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Derric Scott (Apr 27)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d J. Joseph Max Katz (Apr 28)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Johannes Erdfelt (Apr 28)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d Derric Scott (Apr 27)
- Overflow in xlock George Staikos (Apr 26)
- Re: Overflow in xlock David Hedley (Apr 27)
- Re: Overflow in xlock Bollinger (Apr 27)
- Re: Overflow in xlock Andrew G. Morgan (Apr 27)
- Thoughts about DNS... Thomas H. Ptacek (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: Thoughts about DNS... Thomas H. Ptacek (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: Thoughts about DNS... Thomas H. Ptacek (Apr 27)
- BIND ID Brute Force Fix Illuminati Primus (Apr 27)
- Re: Thoughts about DNS... Illuminati Primus (Apr 27)
- Re: Thoughts about DNS... Thomas H. Ptacek (Apr 27)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: CPSN 4-970424: Possible buffer overflow in pop3d George Staikos (Apr 26)