Bug 10876 - XFree86 3.3.x Buffer Overflow Vulnerability
XFree86 3.3.x Buffer Overflow Vulnerability
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: XFree86 (Show other bugs)
6.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Preston Brown
http://www.securityfocus.com/vdb/bott...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-04-17 14:36 EDT by Matthew Miller
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-04-18 11:51:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Miller 2000-04-17 14:36:07 EDT
See: http://www.securityfocus.com/vdb/bottom.html?vid=1113

From the discussion there:
A buffer overflow exists in in the -xbdmap parameter to the XFree86 X
Server. By passing over 2100 characters, it is possible to cause the X
server to crash. According to the author, it is vulnerable to a more
complex buffer overrun attack. The X server, at this stage, still possesses
root privileges, and as such any code executed would be with root
permissions.

The discoverer of this vulnerability notes that all shell code passed to
the overrun (which lies in an unchecked strcpy()) must be alphanumeric.
Non-alphanumeric characters are, at some point, replaced with a '_'.
However, due to the complex nature of the XServer, the discoverer
maintains that in order to complete this overflow, it may merely be
necessary to alter a pointer to cause code placed elsewhere, perhaps via
another parameter, to be executed.
Comment 1 Matthew Miller 2000-04-18 10:44:59 EDT
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=Pine.LNX.4.21.0004171929410.7274-100000@jupiter.sakowski.eu.org
and my own experiments seem to indicate that Xwrapper properly disallows
parameters that are too log. Would be nice to have official confirmation from
you folks though.
Comment 2 Bill Nottingham 2000-04-18 11:51:59 EDT
As far as we can tell, it's only exploitable if you're running
as root, which tends to defeat the point.

Also, the 'kernel oops' mentioned is in fact a register dump
from the segfaulting X server...
Comment 3 Matthew Miller 2000-04-18 13:00:59 EDT
thanks.

Note You need to log in before you can comment on or make changes to this bug.