Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: possible gnome remote overflow

Re: possible gnome remote overflow

From: kay <kay_at_PHREEDOM.ORG>
Date: Wed, 20 Oct 1999 13:42:20 +0300

On Tue, Oct 19, 1999 at 01:58:17AM +0000, Crispin Cowan wrote:
> Ryan Permeh wrote:
>
> > This will crash an open X session, even from remote. I do not know a
> > lot about gnome, but i do know X sessions
> > crashing is generally regarded as a "Bad Thing". I poked at the code a
> > bit, but couldn't find the piece where
> > this is likely happening.

I'm not a GNOME guru too, but:

The program you refer to as gnome-ses is actually gnome-session, and it is
responsible for managing users' sessions (e.g. saving information about
active tasks, desktop geometry etc., on logout and restore everything on
the next logon).

Next, I failed to reproduce this on Debian Potato (unstable, upgraded up to
19 Oct 1999) using:

Linux kernel 2.2.12 + OpenWall ow6 patch
GNOME October Release
GNU libc 2.1.2
XFree86 3.3.5

First as a normal user I started a GNOME session using gdm (GNOME replacement
for xdm).

# dpkg -l libc6 gnome-session xlib6g gdm
[snip]
ii libc6 2.1.2-5 GNU C Library: Shared libraries and timezone
ii gnome-session 1.0.53-2 The Gnome Session Manager
ii xlib6g 3.3.5-1 shared libraries required by X clients
ii gdm 2.0-0.beta4.2 GNOME Display Manager
# lsof -i | grep gnome
gnome-ses 764 kay 3u inet 1054 TCP *:1029 (LISTEN)
gnome-nam 828 kay 4u inet 1295 TCP *:1039 (LISTEN)
gnomepage 839 kay 5u inet 1370 TCP *:1042 (LISTEN)
# dd if=/dev/urandom count=1048576 ibs=1024 | nc localhost 1029
[...]

Nothing happend, GNOME was running just fine during and after my flooding.

> If X and Gnome were StackGuarded, then you might get a present in your
> syslog telling you the name of the function containing the smashed buffer:
>
> * if the buffer was an auto variable
> * and if the function containing the buffer tried to return *before* the
> core dump happened

Really neat features, IMHO.

> Conversely, if someone can point us at an easy to recompile-from-source
> pile of source RPMs for the necessary Gnome components, then we might take
> a poike at it.

I think the GNOME distribution includes SRPM's as well as tarballs?

Regards, 

--
key ID: 1024D/F00A7E3F (DSS)    user ID: kay <kay_at_phreedom.org>
fingerprint: DDCC 1A8C 30C5 8C7B C7E3  8808 02C3 1A5D F00A 7E3F
Received on Oct 24 1999
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos