Bugtraq mailing list archives
XFree86 server overflow - exploit issues
From: lcamtuf () TPI PL (Michal Zalewski)
Date: Sun, 16 Apr 2000 19:45:59 +0200
While trying to exploit this overflow, I noticed that the problem lies in _lovely_ strcpy() call, which overwrites stack. Unfortunately, any 'offending' non-alphanumeric characters are replaced with '_' somewhere before. Uh, most of people will say "it's impossible to write alphanumeric shellcode, so it is not exploitable". That's not true. Please take a note: we don't have to put shellcode there. It might be present anywhere, eg. as any other parameter, read from some user-specified file, or even it might be not present at all (please refer articles on defeating non-executable stack). All we need is to modify some ptr (and we don't have to modify whole address, maybe only one byte) on stack, or alter some variable - Xserver is pretty complex creature and we have wonderful playfield here. I strongly believe it's exploitable for average code hacker within hour or so. Please think twice before assuming it is not - because for sure it is _worth_ an exploit :) We're currently working on it, but it isn't probably the best idea to post it for public (script kitties ;). _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- New DOS on Interscan NT/3.32, (continued)
- New DOS on Interscan NT/3.32 Alain Thivillon (Apr 17)
- Re: Back Door in Commercial Shopping Cart [RESOLVED] Dan Kaminsky (Apr 17)
- Re: Back Door in Commercial Shopping Cart Pete Holsberg (Apr 13)
- Re: Back Door in Commercial Shopping Cart Anik (Apr 13)
- more problems with that POS dansie cart software! tombow (Apr 14)
- Re: more problems with that POS dansie cart software! Randy Janinda (Apr 14)
- nmh-1.0.4 released Dan Harkless (Apr 14)
- xfs Michal Zalewski (Apr 16)
- StarOffice 5.1 Michal Zalewski (Apr 16)
- XFree86 server overflow Michal Zalewski (Apr 16)
- XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
- Reappearance of an old IE security bug Ben Mesander (Apr 16)
- Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
- Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
- Re: XFree86 server overflow Olaf Kirch (Apr 17)
- Re: XFree86 server overflow Valentin Pavlov (Apr 17)
- Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
- Re: XFree86 server overflow Paweł Sakowski (Apr 17)
- RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)