The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] Buffer Overflows in WindowMaker/LibPropList


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sun, 22 Aug 1999 23:51:20 -0400
From: Stan Bubrouski <[email protected]>
To: [email protected]
Subject: [linux-security] Buffer Overflows in WindowMaker/LibPropList

Back in June when I was fooling around with some programs I was writing, I 
found a serious buffer overflow in WindowMaker 0.60.0 and 0.52, but I assume 
previous versions are vulnerable as well. By replacing argv[0] of a program 
with a string longer than 249 characters, it is possible to overflow one of 
the programs buffers, causing it, and possibly X as well to crash. It is 
assumed this can be exploited remotely if you run an insecure X server. By 
default some distributions of Linux like RedHat come with X configured to 
allow everyone in the outside world access to your X-server. Anyway here is 
the guilty section of code, from wdefualts.c:

...
   char buffer[256];
...
...
    if (class && instance)
      key1 = PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),class));
    else


The problem is obvious. But it gets worse. That line of code occurs more than 
once in WindowMaker, and besides that there are several other overflows 
possible by using long program names. To see if your vulnerable, fire up 
WindowMaker and in an xterm window or whatever try:

doexec xbill `perl -e'print "A" x 250;'`

That will replace argv[0] with 250 A's.  Doexec is a program that comes 
installed by default on RedHat systems, all it does is relace argv[x] values, 
I used it because it's the easiest way to illustrate the problem. 
Unfortunately the problem gets even more complicated. While I tried to figure 
out a fix for the problem, I started getting crashes from LibPropList. 
Apparently that too is full of bad programming as well.  Because 
PLMakeString() overflows when it recieves large strings, over 256 characters 
in length I think.  I discovered this over 2 months ago so I may have left 
something out. WindowMaker 0.60.0 has some sort of thing going that catches 
crashes but it may still be exploitable, you'll have to try it to see what I 
mean. Version 0.52 is definately exploitable.  If you wanna get more details 
just start windowmaker from gdb and watch it go bye-bye.

-Stan Bubrouski
[email protected]

------------------------------------------------------------
Stan Bubrouski
[email protected]
------------------------------------------------------------

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe [email protected] < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру