|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Bug in libXcursor , is it exploitable?
From: gr00vy (groovy2600
yahoo.com.ar)
Date: Sat Nov 08 2003 - 19:23:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
INTRO:
------------------------------------------------------------------
off-by-one bug in libXcursor that shows up when $HOME does not start
with a '/'.
THE QUESTION:
------------------------------------------------------------------
Could this bug compromise a system? In what cases?
TEST:
------------------------------------------------------------------
rootzencracking:/root# HOME=%n%n%n%n%n%n
rootzencracking:/root# xterm << not necessary xterm, any program
that uses libxcursor will sigsev
Segmentation fault
rootzencracking:/root# gdb xterm
(gdb) r
Starting program: /root/xterm-181/xterm
Program received signal SIGSEGV, Segmentation fault.
0x4026e5bd in _int_malloc () from /lib/libc.so.6
(gdb) bt
#0 0x4026e5bd in _int_malloc () from /lib/libc.so.6
#1 0x4026d6b5 in malloc () from /lib/libc.so.6
#2 0x4025c003 in __fopen_internal () from /lib/libc.so.6
#3 0x4025c0ce in fopenGLIBC_2.1 () from /lib/libc.so.6
#4 0x4001e47a in XcursorFilenameSave () from
/usr/X11R6/lib/libXcursor.so.1
#5 0x4001e616 in XcursorLibraryLoadImages () from
/usr/X11R6/lib/libXcursor.so.1
#6 0x4001e824 in XcursorShapeLoadImages () from
/usr/X11R6/lib/libXcursor.so.1
#7 0x4001eb6e in XcursorTryShapeCursor () from
/usr/X11R6/lib/libXcursor.so.1
#8 0x4012d628 in _XTryShapeCursor () from usr/X11R6/lib/libX11.so.6
#9 0x4012d9e9 in XCreateGlyphCursor () from usr/X11R6/lib/libX11.so.6
#10 0x4012de59 in XCreateFontCursor () from usr/X11R6/lib/libX11.so.6
#11 0x0805f3ce in make_colored_cursor (cursorindex=68, fg=0,
bg=16777215) at misc.c:216
#12 0x0805b578 in get_terminal () at main.c:2467
#13 0x0805b019 in main (argc=0, argv=0xbffff9e8) at main.c:2111
#14 0x4020dbb4 in __libc_start_main () from /lib/libc.so.6
(gdb) i r
eax 0x808e780 134801280
ecx 0x40327300 1077048064
edx 0x40327354 1077048148
ebx 0x40326234 1077043764
esp 0xbffff650 0xbffff650
ebp 0xbffff688 0xbffff688
esi 0x0 0
edi 0x0 0
eip 0x4026e5bd 0x4026e5bd
eflags 0x10206 66054
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 8064
orig_eax 0xffffffff -1
Regards
THE FIX BY David Dawes <dawesx-oz.com>:
-----------------------------------------------------------
Index: xc/lib/Xcursor/library.c
===================================================================
RCS file: /home/x-cvs/xc/lib/Xcursor/library.c,v
retrieving revision 1.2
diff -u -r1.2 library.c
--- library.c 26 Jan 2003 03:22:42 -0000 1.2
+++ library.c 7 Nov 2003 17:48:21 -0000
-101,6 +101,9
if (!home)
return 0;
homelen = strlen (home);
+ /* A '/' gets prepended if $HOME doesn't start with one. */
+ if (home[0] != '/')
+ homelen++;
dir++;
dirlen--;
}
-------BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)
mQGiBD+MWD0RBAD0zsMD23euntPmXJScQ6aqId4s6SGHw5FdcgSdxM2rRo1/HJ10
yZhApRGKCbnM/RW8P1+pIKlKBvSIp9wmeIgikz4KGmzGIfuhaHwzVOTEBmY3PBqn
Q73LLC+tsUPRDDuEQY5OmtbiukRmCBWFezAzFOmD3RhbgjtkGXP3nCfKbwCgnMDh
/cBR9cMJDJSBnt+s3odafjMD/io6JbwCL7s3EUjU/QtNI3Zwflm/biPjMu0++wIb
IEtfTLKiAKWGpnoIVjPe8bH6uQgbp4n8G1fFkkvlmvXc2Yz012MFLJyyJLRLg4L1
ZG72ExhGz54D3GV9t5VqG9IsNfDSYrH/GC6zE6N2jRFL/e6K/sg82zZqBGRpkmdM
48xyBACuNgIWtPpaMdM+WeC7nh6+j5E5eT+x1RinDHGH95y4gpKBhBr/Yc4nQvh5
e07wHHO4iWuTrnCbxEaKFOk1iTY3b1eZXZvcdJPiyq2nfp7OoRs69JZ40HQSA+aF
O60rlEh8UgnD3fDD9/JzxW3iAdDPk8BLuoAC1Qdt1qpbhv0UkrQ1Z3IwMHZ5ICha
ZW5DcmFja2luZy5jb20uYXIpIDxncm9vdnkyNjAwQHlhaG9vLmNvbS5hcj6IWQQT
EQIAGQUCP4xYPQQLBwMCAxUCAwMWAgECHgECF4AACgkQTKxJeVJCmvAmrwCfZSL3
bx1vyW4pTNwyez0fdOJmQ+EAoIOUDo0aO9LdfpruyrTzvkQaOlnSuQENBD+MWD4Q
BADcytQOgY+pPtQdgKTn53VIEOzyagqNdfd3ei0K+TIEl9x9rdOwYWn5bf8m6QIn
EgWi9+cvvXIl7+ziHUOCyx/BmB3bNQ9TSIlrpx+S42BJvTAJEb0hTDn6FkeupBea
edxCyt25hJjb0NoMhn32kDiWIEGqh16Tt+h0W6MbFVDilwADBQQAmY+DT5cx6u9Y
urffLDVq2/FHUncJQ5jIZy+ThqRWG+DBg46UzGqSIZzXhyB49k1EBgTPA8d8rJML
fLnre1ccRvzo++VR6iIEAX5ur2mosM2SCePbJ4yTugkFPGt7dfgnQnWhNMO8GMYo
x0HyN+VM72VmqEKG+k7c5cVZ8GvEH4uIRgQYEQIABgUCP4xYPgAKCRBMrEl5UkKa
8ILrAJoCQOtCNlNOdbImuMTLu8hN9GHgiACgkQZQTHy1ielq23Vyl0A5Vy98bkQ=
=LiOi
-----END PGP PUBLIC KEY BLOCK-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]