Originally Published: Monday, 17 April 2000 Author: Alexander Reelsen
Published to: news_enhance_security/Security News Page: 1/1 - [Printable]

XFree seems to have serious problems

On a bugtraq post today Michal Zalewski pointed out, that you easily can get root privileges on Xfree 3.3.6 because of the setuid Xwrapper of Red Hat 6.0. This seems to be a strcpy() problem, he noted in another mail.

   Page 1 of 1  

Date: Sun, 16 Apr 2000 18:54:41 +0200 From: Michal Zalewski Subject: XFree86 server overflow To: BUGTRAQ@SECURITYFOCUS.COM

XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no matter it's setuid, or called from setuid Xwrapper - works in both cases, seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather trivial to exploit :), you'll get beautiful overflow with root privledges in main (Xserver) process...

listen to the gdb... Cannot access memory at address 0x41414141.

This has been tested both with recent RH6.1/6.2 Xservers (3.3.5/3.3.6), and:

XFCom_i810 Version 1.0.0 / X Window System (protocol Version 11, revision 0, vendor release 6300) Release Date: October 13 1999

Btw. while testing this bug, we have noticed strange behaviour of some drivers. For example, in one case we get kernel oops, just like that (linux 2.2.14, XFree86 3.3.6 XF86_S3V):

eip: 41414141 eflags: 00013296 eax: 00000000 ebx: 00000000 ecx: 00000bb8 edx: 00000009 esi: bfffe92c edi: 00000400 ebp: 00000000 esp: bfffe464 Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141

:)

_______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=





   Page 1 of 1