Red Hat Bugzilla – Bug 10876
XFree86 3.3.x Buffer Overflow Vulnerability
Last modified: 2008-05-01 11:37:55 EDT
From the discussion there:
A buffer overflow exists in in the -xbdmap parameter to the XFree86 X
Server. By passing over 2100 characters, it is possible to cause the X
server to crash. According to the author, it is vulnerable to a more
complex buffer overrun attack. The X server, at this stage, still possesses
root privileges, and as such any code executed would be with root
The discoverer of this vulnerability notes that all shell code passed to
the overrun (which lies in an unchecked strcpy()) must be alphanumeric.
Non-alphanumeric characters are, at some point, replaced with a '_'.
However, due to the complex nature of the XServer, the discoverer
maintains that in order to complete this overflow, it may merely be
necessary to alter a pointer to cause code placed elsewhere, perhaps via
another parameter, to be executed.
and my own experiments seem to indicate that Xwrapper properly disallows
parameters that are too log. Would be nice to have official confirmation from
you folks though.
As far as we can tell, it's only exploitable if you're running
as root, which tends to defeat the point.
Also, the 'kernel oops' mentioned is in fact a register dump
from the segfaulting X server...