Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XFree86 server overflow

From: trevor () JPJ NET (Trevor Johnson)
Date: Sun, 4 Jun 2000 06:49:51 -0400

On Sun, 16 Apr 2000, Michal Zalewski <lcamtuf () TPI PL> wrote:


XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
matter it's setuid, or called from setuid Xwrapper - works in both cases,
seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
-xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
trivial to exploit :), you'll get beautiful overflow with root privledges
in main (Xserver) process...


This little patch fixed XFree86 4.0 for me, compiled under FreeBSD
4.0-STABLE from the ports collection.  I sent it to fixes () xfree86 org on
Friday and it's indexed as A.91.

--- programs/Xserver/xkb/xkbInit.c.orig Mon Oct  5 05:02:55 1998
+++ programs/Xserver/xkb/xkbInit.c      Tue May 23 16:52:19 2000
@@ -910,7 +910,8 @@
         return 1;
     }
     else if (strncmp(argv[i], "-xkbmap", 7) == 0) {
-       if(++i < argc) {
+       i++;
+       if ((i < argc) && (strlen(argv[i]) < PATH_MAX)) {
             XkbInitialMap= argv[i];
             return 2;
         }

A few boring details are at http://jpj.net/~trevor/xfree.html .

--
Trevor Johnson
http://jpj.net/~trevor/gpgkey.txt
Previous By Date Next
Previous By Thread Next

Current thread: