[14552] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: XFree86 server overflow

daemon@ATHENA.MIT.EDU (=?ISO-8859-2?Q?Pawe=B3_Sakowski?=)
Mon Apr 17 18:59:00 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.4.21.0004171929410.7274-100000@jupiter.sakowski.eu.org>
Date:         Mon, 17 Apr 2000 20:11:55 +0200
Reply-To: =?ISO-8859-2?Q?Pawe=B3_Sakowski?= <pawel@LO13.UNIV.SZCZECIN.PL>
From: =?ISO-8859-2?Q?Pawe=B3_Sakowski?= <pawel@LO13.UNIV.SZCZECIN.PL>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.LNX.4.10.10004161835150.863-100000@localhost>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
> -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
> trivial to exploit :), you'll get beautiful overflow with root privledges
> in main (Xserver) process...

I dare disagree:

$ Xwrapper -xkbmap `perl -e 'print "A"x3000'`
Command line argument number 2 is too long
[...]
This is plain RedHat 6.2 and the command line gets refused whenever a
non-root tries to supply an arg longer than 128 chars.

- --
#include <stddisclaimer.h>
PGP Public Key: finger://sakowski.eu.org/pawel
		hkp://horowitz.surfnet.nl/pawel@sakowski.eu.org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBOPtUPr5fvVhp3VoPEQLuFQCfSPl7lGV756WcBmBz5zSiteU2apcAoKY7
oxtyN6bTfHUyTDk8O7zEHm74
=YsmG
-----END PGP SIGNATURE-----


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[14552] in bugtraq

Re: XFree86 server overflow

daemon@ATHENA.MIT.EDU (=?ISO-8859-2?Q?Pawe=B3_Sakowski?=)Mon Apr 17 18:59:00 2000

daemon@ATHENA.MIT.EDU (=?ISO-8859-2?Q?Pawe=B3_Sakowski?=)
Mon Apr 17 18:59:00 2000