Return-Path: owner-bugtraq@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Sun, 4 Jun 2000 06:49:51 -0400 Reply-To: Trevor Johnson Sender: Bugtraq List From: Trevor Johnson Subject: Re: XFree86 server overflow To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: On Sun, 16 Apr 2000, Michal Zalewski wrote: > XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no > matter it's setuid, or called from setuid Xwrapper - works in both cases, > seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with > -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather > trivial to exploit :), you'll get beautiful overflow with root privledges > in main (Xserver) process... This little patch fixed XFree86 4.0 for me, compiled under FreeBSD 4.0-STABLE from the ports collection. I sent it to fixes@xfree86.org on Friday and it's indexed as A.91. --- programs/Xserver/xkb/xkbInit.c.orig Mon Oct 5 05:02:55 1998 +++ programs/Xserver/xkb/xkbInit.c Tue May 23 16:52:19 2000 @@ -910,7 +910,8 @@ return 1; } else if (strncmp(argv[i], "-xkbmap", 7) == 0) { - if(++i < argc) { + i++; + if ((i < argc) && (strlen(argv[i]) < PATH_MAX)) { XkbInitialMap= argv[i]; return 2; } A few boring details are at http://jpj.net/~trevor/xfree.html . -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt