[17219] in bugtraq
Re: another Xlib buffer overflow
daemon@ATHENA.MIT.EDU (Robert van der Meulen)
Mon Oct 16 01:01:24 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001014040313.A28885@cistron.nl>
Date: Sat, 14 Oct 2000 04:03:13 +0200
Reply-To: Robert van der Meulen <rvdm@CISTRON.NL>
From: Robert van der Meulen <rvdm@CISTRON.NL>
X-To: Michal Zalewski <lcamtuf@dione.ids.pl>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0010140134230.2108-100000@dione.ids.pl>; from
lcamtuf@dione.ids.pl on Sat, Oct 14, 2000 at 01:34:40AM +0200
Quoting Michal Zalewski (lcamtuf@dione.ids.pl):
> On Sat, 14 Oct 2000, Robert van der Meulen wrote:
> > ii xserver-svga 3.3.6-10 X server for SVGA graphics cards
> > <rvdm@crypt:~> export DISPLAY=`perl -e '{print "0" x 128}'`
> Couldn't see ':' there.
It's late at night, and i'm stupid ;)
I've been looking a bit further into this. This actually _does_ trigger
segfaults on both woody and potato.
The problem is, that the display number can only contain numeric values
(Xlib does check _that_). This seriously limits possibilities for inserting
shellcode. With only the hexvalues of '0' to '9' an actual shellcode isn't
possible, but jumping to different addresses is possible.
Greets,
Robert van der Meulen / Emphyrio
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
Marijuana is nature's way of saying, "Hi!".
