XFree86 server overflow - exploit issues

[lcamtuf () TPI PL (Michal Zalewski)]

While trying to exploit this overflow, I noticed that the problem lies in
_lovely_ strcpy() call, which overwrites stack. Unfortunately, any
'offending' non-alphanumeric characters are replaced with '_' somewhere
before. Uh, most of people will say "it's impossible to write alphanumeric
shellcode, so it is not exploitable". That's not true. Please take a note:
we don't have to put shellcode there. It might be present anywhere, eg. as
any other parameter, read from some user-specified file, or even it might
be not present at all (please refer articles on defeating non-executable
stack). All we need is to modify some ptr (and we don't have to modify
whole address, maybe only one byte) on stack, or alter some variable -
Xserver is pretty complex creature and we have wonderful playfield here. I
strongly believe it's exploitable for average code hacker within hour or
so. Please think twice before assuming it is not - because for sure it
is _worth_ an exploit :) We're currently working on it, but it isn't
probably the best idea to post it for public (script kitties ;).

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=