Bug in libXcursor , is it exploitable?

From: gr00vy (groovy2600_at_yahoo.com.ar)
Date: 11/09/03

  • Next message: methodic: "thttpd-2.24" 
    To: VunlDev <vuln-dev@securityfocus.com>
Date: 08 Nov 2003 22:23:35 -0300

    INTRO:
    ------------------------------------------------------------------
    off-by-one bug in libXcursor that shows up when $HOME does not start
    with a '/'.

    THE QUESTION:
    ------------------------------------------------------------------
    Could this bug compromise a system? In what cases?

    TEST:
    ------------------------------------------------------------------
    root@zencracking:/root# HOME=%n%n%n%n%n%n
    root@zencracking:/root# xterm << not necessary xterm, any program
    that uses libxcursor will sigsev
    Segmentation fault
    root@zencracking:/root# gdb xterm
    (gdb) r
    Starting program: /root/xterm-181/xterm

    Program received signal SIGSEGV, Segmentation fault.
    0x4026e5bd in _int_malloc () from /lib/libc.so.6
    (gdb) bt
    #0 0x4026e5bd in _int_malloc () from /lib/libc.so.6
    #1 0x4026d6b5 in malloc () from /lib/libc.so.6
    #2 0x4025c003 in __fopen_internal () from /lib/libc.so.6
    #3 0x4025c0ce in fopen@@GLIBC_2.1 () from /lib/libc.so.6
    #4 0x4001e47a in XcursorFilenameSave () from
    /usr/X11R6/lib/libXcursor.so.1
    #5 0x4001e616 in XcursorLibraryLoadImages () from
    /usr/X11R6/lib/libXcursor.so.1
    #6 0x4001e824 in XcursorShapeLoadImages () from
    /usr/X11R6/lib/libXcursor.so.1
    #7 0x4001eb6e in XcursorTryShapeCursor () from
    /usr/X11R6/lib/libXcursor.so.1
    #8 0x4012d628 in _XTryShapeCursor () from usr/X11R6/lib/libX11.so.6
    #9 0x4012d9e9 in XCreateGlyphCursor () from usr/X11R6/lib/libX11.so.6
    #10 0x4012de59 in XCreateFontCursor () from usr/X11R6/lib/libX11.so.6
    #11 0x0805f3ce in make_colored_cursor (cursorindex=68, fg=0,
    bg=16777215) at misc.c:216
    #12 0x0805b578 in get_terminal () at main.c:2467
    #13 0x0805b019 in main (argc=0, argv=0xbffff9e8) at main.c:2111
    #14 0x4020dbb4 in __libc_start_main () from /lib/libc.so.6
    (gdb) i r
    eax 0x808e780 134801280
    ecx 0x40327300 1077048064
    edx 0x40327354 1077048148
    ebx 0x40326234 1077043764
    esp 0xbffff650 0xbffff650
    ebp 0xbffff688 0xbffff688
    esi 0x0 0
    edi 0x0 0
    eip 0x4026e5bd 0x4026e5bd
    eflags 0x10206 66054
    cs 0x23 35
    ss 0x2b 43
    ds 0x2b 43
    es 0x2b 43
    fs 0x0 0
    gs 0x0 0
    fctrl 0x37f 895
    fstat 0x0 0
    ftag 0xffff 65535
    fiseg 0x0 0
    fioff 0x0 0
    foseg 0x0 0
    fooff 0x0 0
    fop 0x0 0
    mxcsr 0x1f80 8064
    orig_eax 0xffffffff -1

    Regards

    THE FIX BY David Dawes <dawes@x-oz.com>:
    -----------------------------------------------------------

    Index: xc/lib/Xcursor/library.c
    ===================================================================
    RCS file: /home/x-cvs/xc/lib/Xcursor/library.c,v
    retrieving revision 1.2
    diff -u -r1.2 library.c
    --- library.c 26 Jan 2003 03:22:42 -0000 1.2
    +++ library.c 7 Nov 2003 17:48:21 -0000
    @@ -101,6 +101,9 @@
            if (!home)
                return 0;
            homelen = strlen (home);
    + /* A '/' gets prepended if $HOME doesn't start with one. */
    + if (home[0] != '/')
    + homelen++;
            dir++;
            dirlen--;
         }

    -------BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    mQGiBD+MWD0RBAD0zsMD23euntPmXJScQ6aqId4s6SGHw5FdcgSdxM2rRo1/HJ10
    yZhApRGKCbnM/RW8P1+pIKlKBvSIp9wmeIgikz4KGmzGIfuhaHwzVOTEBmY3PBqn
    Q73LLC+tsUPRDDuEQY5OmtbiukRmCBWFezAzFOmD3RhbgjtkGXP3nCfKbwCgnMDh
    /cBR9cMJDJSBnt+s3odafjMD/io6JbwCL7s3EUjU/QtNI3Zwflm/biPjMu0++wIb
    IEtfTLKiAKWGpnoIVjPe8bH6uQgbp4n8G1fFkkvlmvXc2Yz012MFLJyyJLRLg4L1
    ZG72ExhGz54D3GV9t5VqG9IsNfDSYrH/GC6zE6N2jRFL/e6K/sg82zZqBGRpkmdM
    48xyBACuNgIWtPpaMdM+WeC7nh6+j5E5eT+x1RinDHGH95y4gpKBhBr/Yc4nQvh5
    e07wHHO4iWuTrnCbxEaKFOk1iTY3b1eZXZvcdJPiyq2nfp7OoRs69JZ40HQSA+aF
    O60rlEh8UgnD3fDD9/JzxW3iAdDPk8BLuoAC1Qdt1qpbhv0UkrQ1Z3IwMHZ5ICha
    ZW5DcmFja2luZy5jb20uYXIpIDxncm9vdnkyNjAwQHlhaG9vLmNvbS5hcj6IWQQT
    EQIAGQUCP4xYPQQLBwMCAxUCAwMWAgECHgECF4AACgkQTKxJeVJCmvAmrwCfZSL3
    bx1vyW4pTNwyez0fdOJmQ+EAoIOUDo0aO9LdfpruyrTzvkQaOlnSuQENBD+MWD4Q
    BADcytQOgY+pPtQdgKTn53VIEOzyagqNdfd3ei0K+TIEl9x9rdOwYWn5bf8m6QIn
    EgWi9+cvvXIl7+ziHUOCyx/BmB3bNQ9TSIlrpx+S42BJvTAJEb0hTDn6FkeupBea
    edxCyt25hJjb0NoMhn32kDiWIEGqh16Tt+h0W6MbFVDilwADBQQAmY+DT5cx6u9Y
    urffLDVq2/FHUncJQ5jIZy+ThqRWG+DBg46UzGqSIZzXhyB49k1EBgTPA8d8rJML
    fLnre1ccRvzo++VR6iIEAX5ur2mosM2SCePbJ4yTugkFPGt7dfgnQnWhNMO8GMYo
    x0HyN+VM72VmqEKG+k7c5cVZ8GvEH4uIRgQYEQIABgUCP4xYPgAKCRBMrEl5UkKa
    8ILrAJoCQOtCNlNOdbImuMTLu8hN9GHgiACgkQZQTHy1ielq23Vyl0A5Vy98bkQ=
    =LiOi
    -----END PGP PUBLIC KEY BLOCK-----

  • Next message: methodic: "thttpd-2.24"