[14539] in bugtraq
XFree86 server overflow - exploit issues
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Sun Apr 16 23:45:54 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10004161934510.780-100000@localhost>
Date: Sun, 16 Apr 2000 19:45:59 +0200
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
From: Michal Zalewski <lcamtuf@TPI.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10004161835150.863-100000@localhost>
While trying to exploit this overflow, I noticed that the problem lies in
_lovely_ strcpy() call, which overwrites stack. Unfortunately, any
'offending' non-alphanumeric characters are replaced with '_' somewhere
before. Uh, most of people will say "it's impossible to write alphanumeric
shellcode, so it is not exploitable". That's not true. Please take a note:
we don't have to put shellcode there. It might be present anywhere, eg. as
any other parameter, read from some user-specified file, or even it might
be not present at all (please refer articles on defeating non-executable
stack). All we need is to modify some ptr (and we don't have to modify
whole address, maybe only one byte) on stack, or alter some variable -
Xserver is pretty complex creature and we have wonderful playfield here. I
strongly believe it's exploitable for average code hacker within hour or
so. Please think twice before assuming it is not - because for sure it
is _worth_ an exploit :) We're currently working on it, but it isn't
probably the best idea to post it for public (script kitties ;).
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
