| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Oct 2010 10:22:25 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: watercloud watercloud <watercloud@...cus.org> Cc: bugtraq@...urityfocus.com Subject: Re: ubuntu 10.04 xterm heap overflow,can it be exploit ? This has already been made public: http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076294.html On Ubuntu, xterm is setgid utmp, which might make it an interesting target for local attacks. However, you'll need to check if it's already dropped group utmp privileges by the time this overflow happens. In either case, glibc heap protection probably makes this very difficult or impossible to exploit anyway. -Dan On Sun, Oct 10, 2010 at 11:07 PM, watercloud watercloud <watercloud@...cus.org> wrote: > Hi,all ! > I find xterm on ubuntu 10.04 have a local heap overflow, > I don't known that can it be exploit on glibc 2.11 . > > > detail : > > watercloud@...ntu:~/Downloads$ ls -l `which xterm` > -rwxr-sr-x 1 root utmp 354444 2010-03-31 17:47 /usr/bin/xterm > > watercloud@...ntu:~/Downloads$ xterm -fb `perl -e 'print "A"x4000'` > *** glibc detected *** xterm: munmap_chunk(): invalid pointer: 0x080bd314 *** > ======= Backtrace: ========= > /lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x243591] > /lib/tls/i686/cmov/libc.so.6(+0x6c80e)[0x24480e] > xterm[0x8062c70] > xterm[0x8064b34] > xterm[0x805515d] > /usr/lib/libXt.so.6(+0x23e30)[0x4a2e30] > /usr/lib/libXt.so.6(+0x23fb5)[0x4a2fb5] > /usr/lib/libXt.so.6(XtRealizeWidget+0x9d)[0x4a325d] > xterm[0x8058176] > xterm[0x8069a08] > xterm[0x806bf78] > /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x1eebd6] > xterm[0x804d6a1] > ======= Memory map: ======== > 00110000-0012b000 r-xp 00000000 08:01 147 /lib/ld-2.11.1.so > 0012b000-0012c000 r--p 0001a000 08:01 147 /lib/ld-2.11.1.so > 0012c000-0012d000 rw-p 0001b000 08:01 147 /lib/ld-2.11.1.so > 0012d000-0012e000 r-xp 00000000 00:00 0 [vdso] > 0012e000-00140000 r-xp 00000000 08:01 4191 /usr/lib/libXft.so.2.1.13 > 00140000-00141000 r--p 00011000 08:01 4191 /usr/lib/libXft.so.2.1.13 > 00141000-00142000 rw-p 00012000 08:01 4191 /usr/lib/libXft.so.2.1.13 > 00142000-00198000 r-xp 00000000 08:01 2715 /usr/lib/libXaw7.so.7.0.0 > 00198000-00199000 r--p 00055000 08:01 2715 /usr/lib/libXaw7.so.7.0.0 > 00199000-0019f000 rw-p 00056000 08:01 2715 /usr/lib/libXaw7.so.7.0.0 > 0019f000-001a0000 rw-p 00000000 00:00 0 > 001a0000-001d4000 r-xp 00000000 08:01 4408 /lib/libncurses.so.5.7 > 001d4000-001d5000 ---p 00034000 08:01 4408 /lib/libncurses.so.5.7 > 001d5000-001d7000 r--p 00034000 08:01 4408 /lib/libncurses.so.5.7 > 001d7000-001d8000 rw-p 00036000 08:01 4408 /lib/libncurses.so.5.7 > 001d8000-0032b000 r-xp 00000000 08:01 1050745 > /lib/tls/i686/cmov/libc-2.11.1.so > 0032b000-0032c000 ---p 00153000 08:01 1050745 > /lib/tls/i686/cmov/libc-2.11.1.so > 0032c000-0032e000 r--p 00153000 08:01 1050745 > /lib/tls/i686/cmov/libc-2.11.1.so > 0032e000-0032f000 rw-p 00155000 08:01 1050745 > /lib/tls/i686/cmov/libc-2.11.1.so > 0032f000-00332000 rw-p 00000000 00:00 0 > 00332000-00360000 r-xp 00000000 08:01 850 /usr/lib/libfontconfig.so.1.4.4 > 00360000-00361000 r--p 0002d000 08:01 850 /usr/lib/libfontconfig.so.1.4.4 > 00361000-00362000 rw-p 0002e000 08:01 850 /usr/lib/libfontconfig.so.1.4.4 > 00362000-0047b000 r-xp 00000000 08:01 4046 /usr/lib/libX11.so.6.3.0 > 0047b000-0047c000 r--p 00118000 08:01 4046 /usr/lib/libX11.so.6.3.0 > 0047c000-0047e000 rw-p 00119000 08:01 4046 /usr/lib/libX11.so.6.3.0 > 0047e000-0047f000 rw-p 00000000 00:00 0 > 0047f000-004ce000 r-xp 00000000 08:01 3718 /usr/lib/libXt.so.6.0.0 > 004ce000-004cf000 r--p 0004e000 08:01 3718 /usr/lib/libXt.so.6.0.0 > 004cf000-004d2000 rw-p 0004f000 08:01 3718 /usr/lib/libXt.so.6.0.0 > 004d2000-004e7000 r-xp 00000000 08:01 2723 /usr/lib/libXmu.so.6.2.0 > 004e7000-004e8000 r--p 00014000 08:01 2723 /usr/lib/libXmu.so.6.2.0 > 004e8000-004e9000 rw-p 00015000 08:01 2723 /usr/lib/libXmu.so.6.2.0 > 004e9000-004fe000 r-xp 00000000 08:01 4016 /usr/lib/libICE.so.6.3.0 > 004fe000-004ff000 r--p 00014000 08:01 4016 /usr/lib/libICE.so.6.3.0 > 004ff000-00500000 rw-p 00015000 08:01 4016 /usr/lib/libICE.so.6.3.0 > 00500000-00502000 rw-p 00000000 00:00 0 > 00502000-00573000 r-xp 00000000 08:01 2033 /usr/lib/libfreetype.so.6.3.22 > 00573000-00577000 r--p 00070000 08:01 2033 /usr/lib/libfreetype.so.6.3.22 > 00577000-00578000 rw-p 00074000 08:01 2033 /usr/lib/libfreetype.so.6.3.22 > 00578000-00580000 r-xp 00000000 08:01 4050 /usr/lib/libXrender.so.1.3.0 > 00580000-00581000 r--p 00007000 08:01 4050 /usr/lib/libXrender.so.1.3.0 > 00581000-00582000 rw-p 00008000 08:01 4050 /usr/lib/libXrender.so.1.3.0 > 00582000-00590000 r-xp 00000000 08:01 4091 /usr/lib/libXext.so.6.4.0 > 00590000-00591000 r--p 0000d000 08:01 4091 /usr/lib/libXext.so.6.4.0 > 00591000-00592000 rw-p 0000e000 08:01 4091 /usr/lib/libXext.so.6.4.0 > 00592000-005a1000 r-xp 00000000 08:01 2709 /usr/lib/libXpm.so.4.11.0 > 005a1000-005a2000 r--p 0000e000 08:01 2709 /usr/lib/libXpm.so.4.11.0 > 005a2000-005a3000 rw-p 0000f000 08:01 2709 /usr/lib/libXpm.so.4.11.0 > 005a3000-005a5000 r-xp 00000000 08:01 1053685 > /lib/tls/i686/cmov/libdl-2.11.1.so > 005a5000-005a6000 r--p 00001000 08:01 1053685 > /lib/tls/i686/cmov/libdl-2.11.1.so > 005a6000-005a7000 rw-p 00002000 08:01 1053685 > /lib/tls/i686/cmov/libdl-2.11.1.so > 005a7000-005ba000 r-xp 00000000 08:01 4125 /lib/libz.so.1.2.3.3 > 005ba000-005bb000 r--p 00012000 08:01 4125 /lib/libz.so.1.2.3.3 > 005bb000-005bc000 rw-p 00013000 08:01 4125 /lib/libz.so.1.2.3.3 > 005bc000-005e0000 r-xp 00000000 08:01 90 /lib/libexpat.so.1.5.2 > 005e0000-005e2000 r--p 00024000 08:01 90 /lib/libexpat.so.1.5.2 > 005e2000-005e3000 rw-p 00026000 08:01 90 /lib/libexpat.so.1.5.2 > 005e3000-005fb000 r-xp 00000000 08:01 4032 /usr/lib/libxcb.so.1.1.0 > 005fb000-005fc000 r--p 00017000 08:01 4032 /usr/lib/libxcb.so.1.1.0 > 005fc000-005fd000 rw-p 00018000 08:01 4032 /usr/lib/libxcb.so.1.1.0 > 005fd000-00604000 r-xp 00000000 08:01 44 /usr/lib/libSM.so.6.0.1 > 00604000-00605000 r--p 00006000 08:01 44 /usr/lib/libSM.so.6.0.1 > 00605000-00606000 rw-p 00007000 08:01 44 /usr/lib/libSM.so.6.0.1 > 00606000-00608000 r-xp 00000000 08:01 2195 /usr/lib/libXau.so.6.0.0 > 00608000-00609000 r--p 00001000 08:01 2195 /usr/lib/libXau.so.6.0.0 > 00609000-0060a000 rw-p 00002000 08:01 2195 /usr/lib/libXau.so.6.0.0 > 0060a000-0060e000 r-xp 00000000 08:01 3970 /usr/lib/libXdmcp.so.6.0.0 > 0060e000-0060f000 r--p 00003000 08:01 3970 /usr/lib/libXdmcp.so.6.0.0 > 0060f000-00610000 rw-p 00004000 08:01 3970 /usr/lib/libXdmcp.so.6.0.0 > 00610000-00613000 r-xp 00000000 08:01 811 /lib/libuuid.so.1.3.0 > 00613000-00614000 r--p 00002000 08:01 811 /lib/libuuid.so.1.3.0 > 00614000-00615000 rw-p 00003000 08:01 811 /lib/libuuid.so.1.3.0 > 00615000-0061d000 r-xp 00000000 08:01 3644 /usr/lib/libXcursor.so.1.0.2 > 0061d000-0061e000 r--p 00007000 08:01 3644 /usr/lib/libXcursor.so.1.0.2 > 0061e000-0061f000 rw-p 00008000 08:01 3644 /usr/lib/libXcursor.so.1.0.2 > 0061f000-00623000 r-xp 00000000 08:01 4112 /usr/lib/libXfixes.so.3.1.0 > 00623000-00624000 r--p 00003000 08:01 4112 /usr/lib/libXfixes.so.3.1.0 > 00624000-00625000 rw-p 00004000 08:01 4112 /usr/lib/libXfixes.so.3.1.0 > 00625000-00642000 r-xp 00000000 08:01 1463 /lib/libgcc_s.so.1 > 00642000-00643000 r--p 0001c000 08:01 1463 /lib/libgcc_s.so.1 > 00643000-00644000 rw-p 0001d000 08:01 1463 /lib/libgcc_s.so.1 > 08048000-08099000 r-xp 00000000 08:01 2848 /usr/bin/xterm > 08099000-0809a000 r--p 00050000 08:01 2848 /usr/bin/xterm > 0809a000-080a0000 rw-p 00051000 08:01 2848 /usr/bin/xterm > 080a0000-080e5000 rw-p 00000000 00:00 0 [heap] > b7e4c000-b7e8b000 r--p 00000000 08:01 393224 > /usr/lib/locale/zh_CN.utf8/LC_CTYPE > b7e8b000-b7fdd000 r--p 00000000 08:01 393276 > /usr/lib/locale/zh_CN.utf8/LC_COLLATE >
Powered by blists - more mailing lists