(no subject)

From: Stan Bubrouski (binat_private)
Date: Sun Aug 22 1999 - 16:44:31 PDT

Next message: Linux Users Strike Today: "Re: ftp.exe overflow..."

Previous message: Rogier Wolff: "Re: Insecure use of file in /tmp by trn"
Next in thread: Anonymous: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

         Back in June when I was fooling around with some 
programs I was writing, I found a serious buffer overflow in 
WindowMaker 0.60.0 and 0.52, but I assume previous versions 
are vulnerable as well. By replacing argv[0] of a program 
with a string longer than 249 characters, it is possible to 
overflow one of the programs buffers, causing it, and 
possibly X as well to crash. It is assumed this can be 
exploited remotely if you run an insecure X server. By 
default some distributions of Linux like RedHat come with X 
configured to allow everyone in the outside world access to 
your X-server. Anyway here is the guilty section of code, 
from wdefualts.c:

...
   char buffer[256];
...
...
    if (class && instance)
      key1 = 
PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),clas
s));
    else


The problem is obvious. But it gets worse. That line of code 
occurs more than once in WindowMaker, and besides that there 
are several other overflows possible by using long program 
names. To see if your vulnerable, fire up WindowMaker and in 
an xterm window or whatever try:

doexec xbill `perl -e'print "A" x 250;'`

That will replace argv[0] with 250 A's.  Doexec is a program 
that comes installed by default on RedHat systems, all it 
does is relace argv[x] values, I used it because it's the 
easiest way to illustrate the problem. Unfortunately the 
problem gets even more complicated. While I tried to figure 
out a fix for the problem, I started getting crashes from 
LibPropList. Apparently that too is full of bad programming 
as well.  Because PLMakeString() overflows when it recieves 
large strings, over 256 characters in length I think.  I 
discovered this over 2 months ago so I may have left 
something out. WindowMaker 0.60.0 has some sort of thing 
going that catches crashes but it may still be exploitable, 
you'll have to try it to see what I mean. Version 0.52 is 
definately exploitable.  If you wanna get more details just 
start windowmaker from gdb and watch it go bye-bye.

-Stan Bubrouski
binat_private

Next message: Linux Users Strike Today: "Re: ftp.exe overflow..."
Previous message: Rogier Wolff: "Re: Insecure use of file in /tmp by trn"
Next in thread: Anonymous: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:58 PDT