[14548] in bugtraq
Re: XFree86 server overflow
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Apr 17 17:55:44 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000417105240.L25569@monad.swb.de>
Date: Mon, 17 Apr 2000 10:52:40 +0200
Reply-To: Olaf Kirch <okir@CALDERA.DE>
From: Olaf Kirch <okir@CALDERA.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10004161835150.863-100000@localhost>; from
lcamtuf@TPI.PL on Sun, Apr 16, 2000 at 06:54:41PM +0200
On Sun, Apr 16, 2000 at 06:54:41PM +0200, Michal Zalewski wrote:
> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;)
I don't know what Redhat uses for their Xwrapper, but here's the
code from vanilla XFree3.3.6 (xc/programs/Xserver/os/wrapper.c),
slightly paraphrased:
#define MAX_ARG_LENGTH 128
if (!bad && geteuid() == 0 && getuid() != geteuid()) {
for (i = 1; i < argc; i++) {
...
if (strlen(argv[i]) > MAX_ARG_LENGTH) {
bad = ArgTooLong;
break;
}
...
}
}
It appears that this vulnerability requires you to have uid 0
in order to exploit it...
Olaf
PS: The current XFree4.0 snapshot comes without Xwrapper, supposedly
because it Does Things Right[TM].
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
