Bugtraq mailing list archives

Re: XFree86 server overflow

From: pawel () SAKOWSKI EU ORG (Paweł Sakowski)
Date: Mon, 17 Apr 2000 20:11:55 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
matter it's setuid, or called from setuid Xwrapper - works in both cases,
seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
-xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
trivial to exploit :), you'll get beautiful overflow with root privledges
in main (Xserver) process...


I dare disagree:

$ Xwrapper -xkbmap `perl -e 'print "A"x3000'`
Command line argument number 2 is too long
[...]
This is plain RedHat 6.2 and the command line gets refused whenever a
non-root tries to supply an arg longer than 128 chars.

- --
#include <stddisclaimer.h>
PGP Public Key: finger://sakowski.eu.org/pawel
                hkp://horowitz.surfnet.nl/pawel () sakowski eu org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBOPtUPr5fvVhp3VoPEQLuFQCfSPl7lGV756WcBmBz5zSiteU2apcAoKY7
oxtyN6bTfHUyTDk8O7zEHm74
=YsmG
-----END PGP SIGNATURE-----

Current thread:

xfs, (continued)
- - xfs Michal Zalewski (Apr 16)
  - StarOffice 5.1 Michal Zalewski (Apr 16)
  - XFree86 server overflow Michal Zalewski (Apr 16)
    - XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
    - Reappearance of an old IE security bug Ben Mesander (Apr 16)
    - Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
    - Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
    - Re: XFree86 server overflow Olaf Kirch (Apr 17)
    - Re: XFree86 server overflow Valentin Pavlov (Apr 17)
    - Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
    - Re: XFree86 server overflow Paweł Sakowski (Apr 17)
    - RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
    - response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
    - xfs security issues (fwd) Chris Evans (Apr 17)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
    - RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)
    - More vulnerabilities in FP Narrow (Apr 18)
    - Re: More vulnerabilities in FP The Cyberiad (Apr 19)

(Thread continues...)