[14551] in bugtraq

home help back first fref pref prev next nref lref last post

Re: XFree86 server overflow

daemon@ATHENA.MIT.EDU (Valentin Pavlov)
Mon Apr 17 18:29:37 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <38FADCD8.42F92A34@rila.bg>
Date:         Mon, 17 Apr 2000 12:43:52 +0300
Reply-To: Valentin Pavlov <vpavlov@RILA.BG>
From: Valentin Pavlov <vpavlov@RILA.BG>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

XFree86 4.0.0 does not seem to be vulnerable to this...A look at the
sources also proves it.



Michal Zalewski wrote:
>
> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
> -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
> trivial to exploit :), you'll get beautiful overflow with root privledges
> in main (Xserver) process...
>
> listen to the gdb... Cannot access memory at address 0x41414141.
>
> This has been tested both with recent RH6.1/6.2 Xservers (3.3.5/3.3.6),
> and:
>
> XFCom_i810 Version 1.0.0 / X Window System
> (protocol Version 11, revision 0, vendor release 6300)
> Release Date: October 13 1999
>
> Btw. while testing this bug, we have noticed strange behaviour of some
> drivers. For example, in one case we get kernel oops, just like that
> (linux 2.2.14, XFree86 3.3.6 XF86_S3V):
>
> eip: 41414141   eflags: 00013296
> eax: 00000000   ebx: 00000000   ecx: 00000bb8   edx: 00000009
> esi: bfffe92c   edi: 00000400   ebp: 00000000   esp: bfffe464
> Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
>        41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
>        41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
>        41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
>
> :)
>
> _______________________________________________________
> Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
> [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=
home help back first fref pref prev next nref lref last post