lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTi=8pW16VWMgr=csm61VN8Pv-3q+GQXoaJfzb81O@mail.gmail.com>
Date: Wed, 13 Oct 2010 10:22:25 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: watercloud watercloud <watercloud@...cus.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: ubuntu 10.04 xterm heap overflow,can it be exploit ?

This has already been made public:
http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076294.html

On Ubuntu, xterm is setgid utmp, which might make it an interesting
target for local attacks.  However, you'll need to check if it's
already dropped group utmp privileges by the time this overflow
happens.  In either case, glibc heap protection probably makes this
very difficult or impossible to exploit anyway.

-Dan

On Sun, Oct 10, 2010 at 11:07 PM, watercloud watercloud
<watercloud@...cus.org> wrote:
> Hi,all !
> I find xterm on ubuntu 10.04 have a local heap overflow,
> I don't known  that can it be exploit on glibc 2.11 .
>
>
> detail :
>
> watercloud@...ntu:~/Downloads$ ls -l `which xterm`
> -rwxr-sr-x 1 root utmp 354444 2010-03-31 17:47 /usr/bin/xterm
>
> watercloud@...ntu:~/Downloads$ xterm -fb `perl -e 'print "A"x4000'`
> *** glibc detected *** xterm: munmap_chunk(): invalid pointer: 0x080bd314 ***
> ======= Backtrace: =========
> /lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x243591]
> /lib/tls/i686/cmov/libc.so.6(+0x6c80e)[0x24480e]
> xterm[0x8062c70]
> xterm[0x8064b34]
> xterm[0x805515d]
> /usr/lib/libXt.so.6(+0x23e30)[0x4a2e30]
> /usr/lib/libXt.so.6(+0x23fb5)[0x4a2fb5]
> /usr/lib/libXt.so.6(XtRealizeWidget+0x9d)[0x4a325d]
> xterm[0x8058176]
> xterm[0x8069a08]
> xterm[0x806bf78]
> /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x1eebd6]
> xterm[0x804d6a1]
> ======= Memory map: ========
> 00110000-0012b000 r-xp 00000000 08:01 147        /lib/ld-2.11.1.so
> 0012b000-0012c000 r--p 0001a000 08:01 147        /lib/ld-2.11.1.so
> 0012c000-0012d000 rw-p 0001b000 08:01 147        /lib/ld-2.11.1.so
> 0012d000-0012e000 r-xp 00000000 00:00 0          [vdso]
> 0012e000-00140000 r-xp 00000000 08:01 4191       /usr/lib/libXft.so.2.1.13
> 00140000-00141000 r--p 00011000 08:01 4191       /usr/lib/libXft.so.2.1.13
> 00141000-00142000 rw-p 00012000 08:01 4191       /usr/lib/libXft.so.2.1.13
> 00142000-00198000 r-xp 00000000 08:01 2715       /usr/lib/libXaw7.so.7.0.0
> 00198000-00199000 r--p 00055000 08:01 2715       /usr/lib/libXaw7.so.7.0.0
> 00199000-0019f000 rw-p 00056000 08:01 2715       /usr/lib/libXaw7.so.7.0.0
> 0019f000-001a0000 rw-p 00000000 00:00 0
> 001a0000-001d4000 r-xp 00000000 08:01 4408       /lib/libncurses.so.5.7
> 001d4000-001d5000 ---p 00034000 08:01 4408       /lib/libncurses.so.5.7
> 001d5000-001d7000 r--p 00034000 08:01 4408       /lib/libncurses.so.5.7
> 001d7000-001d8000 rw-p 00036000 08:01 4408       /lib/libncurses.so.5.7
> 001d8000-0032b000 r-xp 00000000 08:01 1050745
> /lib/tls/i686/cmov/libc-2.11.1.so
> 0032b000-0032c000 ---p 00153000 08:01 1050745
> /lib/tls/i686/cmov/libc-2.11.1.so
> 0032c000-0032e000 r--p 00153000 08:01 1050745
> /lib/tls/i686/cmov/libc-2.11.1.so
> 0032e000-0032f000 rw-p 00155000 08:01 1050745
> /lib/tls/i686/cmov/libc-2.11.1.so
> 0032f000-00332000 rw-p 00000000 00:00 0
> 00332000-00360000 r-xp 00000000 08:01 850        /usr/lib/libfontconfig.so.1.4.4
> 00360000-00361000 r--p 0002d000 08:01 850        /usr/lib/libfontconfig.so.1.4.4
> 00361000-00362000 rw-p 0002e000 08:01 850        /usr/lib/libfontconfig.so.1.4.4
> 00362000-0047b000 r-xp 00000000 08:01 4046       /usr/lib/libX11.so.6.3.0
> 0047b000-0047c000 r--p 00118000 08:01 4046       /usr/lib/libX11.so.6.3.0
> 0047c000-0047e000 rw-p 00119000 08:01 4046       /usr/lib/libX11.so.6.3.0
> 0047e000-0047f000 rw-p 00000000 00:00 0
> 0047f000-004ce000 r-xp 00000000 08:01 3718       /usr/lib/libXt.so.6.0.0
> 004ce000-004cf000 r--p 0004e000 08:01 3718       /usr/lib/libXt.so.6.0.0
> 004cf000-004d2000 rw-p 0004f000 08:01 3718       /usr/lib/libXt.so.6.0.0
> 004d2000-004e7000 r-xp 00000000 08:01 2723       /usr/lib/libXmu.so.6.2.0
> 004e7000-004e8000 r--p 00014000 08:01 2723       /usr/lib/libXmu.so.6.2.0
> 004e8000-004e9000 rw-p 00015000 08:01 2723       /usr/lib/libXmu.so.6.2.0
> 004e9000-004fe000 r-xp 00000000 08:01 4016       /usr/lib/libICE.so.6.3.0
> 004fe000-004ff000 r--p 00014000 08:01 4016       /usr/lib/libICE.so.6.3.0
> 004ff000-00500000 rw-p 00015000 08:01 4016       /usr/lib/libICE.so.6.3.0
> 00500000-00502000 rw-p 00000000 00:00 0
> 00502000-00573000 r-xp 00000000 08:01 2033       /usr/lib/libfreetype.so.6.3.22
> 00573000-00577000 r--p 00070000 08:01 2033       /usr/lib/libfreetype.so.6.3.22
> 00577000-00578000 rw-p 00074000 08:01 2033       /usr/lib/libfreetype.so.6.3.22
> 00578000-00580000 r-xp 00000000 08:01 4050       /usr/lib/libXrender.so.1.3.0
> 00580000-00581000 r--p 00007000 08:01 4050       /usr/lib/libXrender.so.1.3.0
> 00581000-00582000 rw-p 00008000 08:01 4050       /usr/lib/libXrender.so.1.3.0
> 00582000-00590000 r-xp 00000000 08:01 4091       /usr/lib/libXext.so.6.4.0
> 00590000-00591000 r--p 0000d000 08:01 4091       /usr/lib/libXext.so.6.4.0
> 00591000-00592000 rw-p 0000e000 08:01 4091       /usr/lib/libXext.so.6.4.0
> 00592000-005a1000 r-xp 00000000 08:01 2709       /usr/lib/libXpm.so.4.11.0
> 005a1000-005a2000 r--p 0000e000 08:01 2709       /usr/lib/libXpm.so.4.11.0
> 005a2000-005a3000 rw-p 0000f000 08:01 2709       /usr/lib/libXpm.so.4.11.0
> 005a3000-005a5000 r-xp 00000000 08:01 1053685
> /lib/tls/i686/cmov/libdl-2.11.1.so
> 005a5000-005a6000 r--p 00001000 08:01 1053685
> /lib/tls/i686/cmov/libdl-2.11.1.so
> 005a6000-005a7000 rw-p 00002000 08:01 1053685
> /lib/tls/i686/cmov/libdl-2.11.1.so
> 005a7000-005ba000 r-xp 00000000 08:01 4125       /lib/libz.so.1.2.3.3
> 005ba000-005bb000 r--p 00012000 08:01 4125       /lib/libz.so.1.2.3.3
> 005bb000-005bc000 rw-p 00013000 08:01 4125       /lib/libz.so.1.2.3.3
> 005bc000-005e0000 r-xp 00000000 08:01 90         /lib/libexpat.so.1.5.2
> 005e0000-005e2000 r--p 00024000 08:01 90         /lib/libexpat.so.1.5.2
> 005e2000-005e3000 rw-p 00026000 08:01 90         /lib/libexpat.so.1.5.2
> 005e3000-005fb000 r-xp 00000000 08:01 4032       /usr/lib/libxcb.so.1.1.0
> 005fb000-005fc000 r--p 00017000 08:01 4032       /usr/lib/libxcb.so.1.1.0
> 005fc000-005fd000 rw-p 00018000 08:01 4032       /usr/lib/libxcb.so.1.1.0
> 005fd000-00604000 r-xp 00000000 08:01 44         /usr/lib/libSM.so.6.0.1
> 00604000-00605000 r--p 00006000 08:01 44         /usr/lib/libSM.so.6.0.1
> 00605000-00606000 rw-p 00007000 08:01 44         /usr/lib/libSM.so.6.0.1
> 00606000-00608000 r-xp 00000000 08:01 2195       /usr/lib/libXau.so.6.0.0
> 00608000-00609000 r--p 00001000 08:01 2195       /usr/lib/libXau.so.6.0.0
> 00609000-0060a000 rw-p 00002000 08:01 2195       /usr/lib/libXau.so.6.0.0
> 0060a000-0060e000 r-xp 00000000 08:01 3970       /usr/lib/libXdmcp.so.6.0.0
> 0060e000-0060f000 r--p 00003000 08:01 3970       /usr/lib/libXdmcp.so.6.0.0
> 0060f000-00610000 rw-p 00004000 08:01 3970       /usr/lib/libXdmcp.so.6.0.0
> 00610000-00613000 r-xp 00000000 08:01 811        /lib/libuuid.so.1.3.0
> 00613000-00614000 r--p 00002000 08:01 811        /lib/libuuid.so.1.3.0
> 00614000-00615000 rw-p 00003000 08:01 811        /lib/libuuid.so.1.3.0
> 00615000-0061d000 r-xp 00000000 08:01 3644       /usr/lib/libXcursor.so.1.0.2
> 0061d000-0061e000 r--p 00007000 08:01 3644       /usr/lib/libXcursor.so.1.0.2
> 0061e000-0061f000 rw-p 00008000 08:01 3644       /usr/lib/libXcursor.so.1.0.2
> 0061f000-00623000 r-xp 00000000 08:01 4112       /usr/lib/libXfixes.so.3.1.0
> 00623000-00624000 r--p 00003000 08:01 4112       /usr/lib/libXfixes.so.3.1.0
> 00624000-00625000 rw-p 00004000 08:01 4112       /usr/lib/libXfixes.so.3.1.0
> 00625000-00642000 r-xp 00000000 08:01 1463       /lib/libgcc_s.so.1
> 00642000-00643000 r--p 0001c000 08:01 1463       /lib/libgcc_s.so.1
> 00643000-00644000 rw-p 0001d000 08:01 1463       /lib/libgcc_s.so.1
> 08048000-08099000 r-xp 00000000 08:01 2848       /usr/bin/xterm
> 08099000-0809a000 r--p 00050000 08:01 2848       /usr/bin/xterm
> 0809a000-080a0000 rw-p 00051000 08:01 2848       /usr/bin/xterm
> 080a0000-080e5000 rw-p 00000000 00:00 0          [heap]
> b7e4c000-b7e8b000 r--p 00000000 08:01 393224
> /usr/lib/locale/zh_CN.utf8/LC_CTYPE
> b7e8b000-b7fdd000 r--p 00000000 08:01 393276
> /usr/lib/locale/zh_CN.utf8/LC_COLLATE
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ