From owner-freebsd-security Sun Jun 1 23:29:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA00482 for security-outgoing; Sun, 1 Jun 1997 23:29:05 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA00472; Sun, 1 Jun 1997 23:28:53 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.7.6/8.7.3) id IAA18656; Mon, 2 Jun 1997 08:28:01 +0200 (MET DST) Date: Mon, 2 Jun 1997 08:28:01 +0200 (MET DST) Message-Id: <199706020628.IAA18656@bitbox.follo.net> From: Eivind Eklund To: David Dawes CC: perhaps@yes.no, security@FreeBSD.ORG, rich@FreeBSD.ORG In-reply-to: David Dawes's message of Sat, 31 May 1997 11:33:02 +1000 Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <19970531113302.04820@rf900.physics.usyd.edu.au> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > On Fri, May 30, 1997 at 05:38:02PM +0200, Eivind Eklund wrote: > > > >There is presently at least one hole in the X11 libraries (a buffer > >overflow) being passed around in hacker circles. This buffer overrun > >makes it possible to exploit any setuid program for X11 (e.g. xterm) > >user set to; xterm (and others) give root. > > >Hopefully XFree will provide replacement libraries soon; if not, I'll > >try to do it, but I'm not presently equipped to compile new libraries > >for all FreeBSD versions. (The XFree liason is Cc:'ed - can you > >comment on this, Rich?) > > XFree86 is aware of two Xlib buffer overflows which are present in > the base X11R6.3 code. One is related to the -xrm command line flag, > and the other is related to the locale-related environment variables. > Xterm built from XFree86 3.1.2 and later source happens to be immune > from the first problem because it runs the vulnerable code with the > euid == ruid. How this helps against a buffer overflow is unclear to me. You'd just need to do setuid(0) as a syscall in the shellcode to bypass it, wouldn't you? > We have fixes for both of these problems, and they will be included in > our 3.3 release, which should be available some time in the next week. > We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and > 3.0-CURRENT (using the 970520-SNAP). > > If you know of any other Xlib (or other) vulnerabilities, please let me > know *now* (send details to XFree86@XFree86.org) so that we can attempt > to have them fixed in 3.3. We close off 3.3 completely in a day or two. I know of no more. One question, though: Will it be possible to get a secure 3.2(a) by replacing just the relevant libraries with the ones from 3.3? (Doing a full new X install is somewhat more of an operation than just surgically replacing libraries. Would be nice if people could do that - increase user confidence etc) Eivind.