Bugtraq mailing list archives
Re: XFree86 server overflow
From: pawel () SAKOWSKI EU ORG (Paweł Sakowski)
Date: Mon, 17 Apr 2000 20:11:55 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no matter it's setuid, or called from setuid Xwrapper - works in both cases, seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather trivial to exploit :), you'll get beautiful overflow with root privledges in main (Xserver) process...
I dare disagree: $ Xwrapper -xkbmap `perl -e 'print "A"x3000'` Command line argument number 2 is too long [...] This is plain RedHat 6.2 and the command line gets refused whenever a non-root tries to supply an arg longer than 128 chars. - -- #include <stddisclaimer.h> PGP Public Key: finger://sakowski.eu.org/pawel hkp://horowitz.surfnet.nl/pawel () sakowski eu org -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOPtUPr5fvVhp3VoPEQLuFQCfSPl7lGV756WcBmBz5zSiteU2apcAoKY7 oxtyN6bTfHUyTDk8O7zEHm74 =YsmG -----END PGP SIGNATURE-----
Current thread:
- xfs, (continued)
- xfs Michal Zalewski (Apr 16)
- StarOffice 5.1 Michal Zalewski (Apr 16)
- XFree86 server overflow Michal Zalewski (Apr 16)
- XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)
- Reappearance of an old IE security bug Ben Mesander (Apr 16)
- Re: Reappearance of an old IE security bug Vladimir Dubrovin (Apr 17)
- Announcing: Solaris Fingerprint Database (sfpDB) on SunSolve Casper Dik (Apr 17)
- Re: XFree86 server overflow Olaf Kirch (Apr 17)
- Re: XFree86 server overflow Valentin Pavlov (Apr 17)
- Microsoft Security Bulletin (MS00-025) Microsoft Product Security (Apr 17)
- Re: XFree86 server overflow Paweł Sakowski (Apr 17)
- RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)
- More vulnerabilities in FP Narrow (Apr 18)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)