[5973] in bugtraq
Re: Xserver stack smashed -- wrapper
daemon@ATHENA.MIT.EDU (Scott A Crosby)
Thu Jan 15 13:51:43 1998
Date: Thu, 15 Jan 1998 02:46:36 -0500
Reply-To: Scott A Crosby <crosby@QWE0.MATH.CMU.EDU>
From: Scott A Crosby <crosby@QWE0.MATH.CMU.EDU>
X-To: Cotfas Vladimir-Marian <ulianov@MECANICA.MATH.UNIBUC.RO>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199801141532.RAA01024@mecanica.math.unibuc.ro>
On Wed, 14 Jan 1998, Cotfas Vladimir-Marian wrote:
[snip]
>
> Here's a wrapper for this bug and for the older XF86 security vulnerability
> (i.e. XF86_XX -config /etc/shadow)
>
> Vladimir
>
> ----------------------------cut from here-------------------------------
> /*
> Description: X server wrapper
>
> Goals:
> 1. wrap the "-config" security vulnerabillity
> 2. wrap the :000000000000...00000000000000009 potential buffer overflow
>
I would add in a check for a singular arg > some maximum length:
It would also be a good idea to clean the environment before invoking
the Xserver. (left as an excercise for the reader)
Scott Crosby
----------------------------cut from here-------------------------------
--- x1.c Thu Jan 15 02:25:26 1998
+++ x2.c Thu Jan 15 02:40:59 1998
@@ -39,6 +39,7 @@
*/
#define _DEBUG
#define SIZE 1024
+#define MAX_LEN 240
/* guaranteed filled with NULLs by UNIX */
char* args[SIZE];
@@ -75,6 +76,11 @@
syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n",
i, pass->pw_name);
i++;
+ continue;
+ }
+ if(strlen(argv[i]) >= MAX_LEN){
+ syslog(LOG_NOTICE, "too long arg at #%d user %s \n", i, pass->pw_name);
+ i++;
continue;
}
if(argsCount >= SIZE){
