Date: Mon, 29 Jun 1998 09:20:05 +0200
From: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE.>
To: Thomas Gellekum <tg@ihf.rwth-aachen.de.>
Subject: Re: xlock
Cc: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE.>,
[email protected]
On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote:
> Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE.> writes:
>
> > Alarmed by recent buffer overflow attacks on Linux machines in
> > my vicinity (an exploit for this is available) I thought about
> > xlock under FreeBSD and would like to know whether the
> > security hole has been sorted out under FreeBSD 2.2.x or what
> > measures are advised to prevent it.
>
> Could you tell more about this?
/* x86 XLOCK overflow exploit
by [email protected] 4/17/97
Original exploit framework - lpr exploit
Usage: make xlock-exploit
xlock-exploit <optional_offset>
Assumptions: xlock is suid root, and installed in /usr/X11/bin
*/
[complete xploit can be sent on demand]
xlock, since it is suid root (I don't know which version is affected
and if that is fixed maybe in XF86332) can be fed with a command line
parameter causing a buffer overflow which allows a logged in
normal user gaining a root shell. Actually the hole is a year old.
Since I didn't find xlock on freefall (hub) I thought the problem
is known already. The Linux exploit program doesn't work directly under
FreeBSD (causes a bad system call) but with some tweaking it
could be made to work.
SUSE Linux 5.x fixes it the following way:
1.) establishing a group 'shadow' in /etc/group, sole member 'root':
shadow:x:15:root
2.) xlock becomes SGID group shadow:
-rwxr-sr-x 1 root shadow 843596 Nov 16 1996 /usr/X11/bin/xlock*
3.) password files become group readable by group shadow
-rw-r----- 1 root shadow 289 Jan 16 1997 /etc/gshadow
-rw-r----- 1 root shadow 683 Jun 15 14:55 /etc/shadow
-rw-r----- 1 root shadow 683 May 14 18:09 /etc/shadow-
-rw-r----- 1 root shadow 642 Sep 30 1997 /etc/shadow.orig
>
> tg
--
--Chris Christoph P. U. Kukulies [email protected]
To Unsubscribe: send mail to [email protected]
with "unsubscribe security" in the body of the message
