Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Jun 1998 09:20:05 +0200
From:      Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>
To:        Thomas Gellekum <tg@ihf.rwth-aachen.de>
Cc:        Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>, freebsd-security@FreeBSD.ORG
Subject:   Re: xlock
Message-ID:  <19980629092005.33214@gil.physik.rwth-aachen.de>
In-Reply-To: <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de>; from Thomas Gellekum on Mon, Jun 29, 1998 at 08:58:02AM %2B0200
References:  <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote:
> Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE> writes:
> 
> > Alarmed by recent buffer overflow attacks on Linux machines in
> > my vicinity (an exploit for this is available) I thought about
> > xlock under FreeBSD and would like to know whether the
> > security hole has been sorted out under FreeBSD 2.2.x or what
> > measures are advised to prevent it.
> 
> Could you tell more about this?

 /* x86 XLOCK overflow exploit
      by cesaro@0wned.org 4/17/97

      Original exploit framework - lpr exploit

      Usage: make xlock-exploit
             xlock-exploit  <optional_offset>

      Assumptions: xlock is suid root, and installed in /usr/X11/bin
  */

[complete xploit can be sent on demand]

xlock, since it is suid root (I don't know which version is affected
and if that is fixed maybe in XF86332) can be fed with a command line
parameter causing a buffer overflow which allows a logged in
normal user gaining a root shell. Actually the hole is a year old.

Since I didn't find xlock on freefall (hub) I thought the problem
is known already. The Linux exploit program doesn't work directly under
FreeBSD (causes a bad system call) but with some tweaking it
could be made to work.

SUSE Linux 5.x fixes it the following way:
1.) establishing a group 'shadow' in /etc/group, sole member 'root':

    shadow:x:15:root

2.) xlock becomes SGID group shadow:
   
-rwxr-sr-x   1 root     shadow     843596 Nov 16  1996 /usr/X11/bin/xlock*

3.) password files become group readable by group shadow

 -rw-r-----   1 root     shadow        289 Jan 16  1997 /etc/gshadow
 -rw-r-----   1 root     shadow        683 Jun 15 14:55 /etc/shadow
 -rw-r-----   1 root     shadow        683 May 14 18:09 /etc/shadow-
 -rw-r-----   1 root     shadow        642 Sep 30  1997 /etc/shadow.orig 


> 
> tg

-- 
--Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980629092005.33214>