Date: Sun, 22 Aug 1999 23:51:20 -0400
From: Stan Bubrouski <[email protected]>
To: [email protected]Subject: [linux-security] Buffer Overflows in WindowMaker/LibPropList
Back in June when I was fooling around with some programs I was writing, I
found a serious buffer overflow in WindowMaker 0.60.0 and 0.52, but I assume
previous versions are vulnerable as well. By replacing argv[0] of a program
with a string longer than 249 characters, it is possible to overflow one of
the programs buffers, causing it, and possibly X as well to crash. It is
assumed this can be exploited remotely if you run an insecure X server. By
default some distributions of Linux like RedHat come with X configured to
allow everyone in the outside world access to your X-server. Anyway here is
the guilty section of code, from wdefualts.c:
...
char buffer[256];
...
...
if (class && instance)
key1 = PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),class));
else
The problem is obvious. But it gets worse. That line of code occurs more than
once in WindowMaker, and besides that there are several other overflows
possible by using long program names. To see if your vulnerable, fire up
WindowMaker and in an xterm window or whatever try:
doexec xbill `perl -e'print "A" x 250;'`
That will replace argv[0] with 250 A's. Doexec is a program that comes
installed by default on RedHat systems, all it does is relace argv[x] values,
I used it because it's the easiest way to illustrate the problem.
Unfortunately the problem gets even more complicated. While I tried to figure
out a fix for the problem, I started getting crashes from LibPropList.
Apparently that too is full of bad programming as well. Because
PLMakeString() overflows when it recieves large strings, over 256 characters
in length I think. I discovered this over 2 months ago so I may have left
something out. WindowMaker 0.60.0 has some sort of thing going that catches
crashes but it may still be exploitable, you'll have to try it to see what I
mean. Version 0.52 is definately exploitable. If you wanna get more details
just start windowmaker from gdb and watch it go bye-bye.
-Stan Bubrouski
[email protected]
------------------------------------------------------------
Stan Bubrouski
[email protected]
------------------------------------------------------------
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe [email protected] < /dev/null
