Bugtraq mailing list archives

Re: another Xlib buffer overflow

From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Sat, 14 Oct 2000 04:03:13 +0200

Quoting Michal Zalewski (lcamtuf () dione ids pl):

On Sat, 14 Oct 2000, Robert van der Meulen wrote:

ii  xserver-svga   3.3.6-10       X server for SVGA graphics cards
<rvdm@crypt:~> export DISPLAY=`perl -e '{print "0" x 128}'`

Couldn't see ':' there.

It's late at night, and i'm stupid ;)

I've been looking a bit further into this. This actually _does_ trigger
segfaults on both woody and potato.
The problem is, that the display number can only contain numeric values
(Xlib does check _that_). This seriously limits possibilities for inserting
shellcode. With only the hexvalues of '0' to '9' an actual shellcode isn't
possible, but jumping to different addresses is possible.

Greets,
        Robert van der Meulen / Emphyrio

--
|      rvdm () cistron nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |
                Marijuana is nature's way of saying, "Hi!".

Current thread:

another Xlib buffer overflow Michal Zalewski (Oct 13)
- Re: another Xlib buffer overflow Matthieu Herrb (Oct 15)
  - Re: another Xlib buffer overflow Kris Kennaway (Oct 16)
    - Re: another Xlib buffer overflow Chris Evans (Oct 25)
  - Re: another Xlib buffer overflow Cy Schubert - ITSD Open Systems Group (Oct 16)
- <Possible follow-ups>
- Re: another Xlib buffer overflow Robert van der Meulen (Oct 15)
- Re: another Xlib buffer overflow Michal Zalewski (Oct 15)