From owner-freebsd-security Mon Jun 29 00:20:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA22125 for freebsd-security-outgoing; Mon, 29 Jun 1998 00:20:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA22116 for ; Mon, 29 Jun 1998 00:20:15 -0700 (PDT) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id JAA00976; Mon, 29 Jun 1998 09:20:06 +0200 (MEST) (envelope-from kuku) Message-ID: <19980629092005.33214@gil.physik.rwth-aachen.de> Date: Mon, 29 Jun 1998 09:20:05 +0200 From: Christoph Kukulies To: Thomas Gellekum Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: xlock References: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81e In-Reply-To: <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de>; from Thomas Gellekum on Mon, Jun 29, 1998 at 08:58:02AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote: > Christoph Kukulies writes: > > > Alarmed by recent buffer overflow attacks on Linux machines in > > my vicinity (an exploit for this is available) I thought about > > xlock under FreeBSD and would like to know whether the > > security hole has been sorted out under FreeBSD 2.2.x or what > > measures are advised to prevent it. > > Could you tell more about this? /* x86 XLOCK overflow exploit by cesaro@0wned.org 4/17/97 Original exploit framework - lpr exploit Usage: make xlock-exploit xlock-exploit Assumptions: xlock is suid root, and installed in /usr/X11/bin */ [complete xploit can be sent on demand] xlock, since it is suid root (I don't know which version is affected and if that is fixed maybe in XF86332) can be fed with a command line parameter causing a buffer overflow which allows a logged in normal user gaining a root shell. Actually the hole is a year old. Since I didn't find xlock on freefall (hub) I thought the problem is known already. The Linux exploit program doesn't work directly under FreeBSD (causes a bad system call) but with some tweaking it could be made to work. SUSE Linux 5.x fixes it the following way: 1.) establishing a group 'shadow' in /etc/group, sole member 'root': shadow:x:15:root 2.) xlock becomes SGID group shadow: -rwxr-sr-x 1 root shadow 843596 Nov 16 1996 /usr/X11/bin/xlock* 3.) password files become group readable by group shadow -rw-r----- 1 root shadow 289 Jan 16 1997 /etc/gshadow -rw-r----- 1 root shadow 683 Jun 15 14:55 /etc/shadow -rw-r----- 1 root shadow 683 May 14 18:09 /etc/shadow- -rw-r----- 1 root shadow 642 Sep 30 1997 /etc/shadow.orig > > tg -- --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message