Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: ciacl001.htm

Linux/BSD Initialized data overflow in Xlockmore
Linux/BSD Initialized data overflow in Xlockmore Privacy and Legal Notice


L-001: Linux/BSD Initialized data overflow in Xlockmore

October 9, 2000 21:00 GMT
PROBLEM:       The xlockmore program has a buffer overflow issue with the
               use of the '-mode' option. It is possible to read a part of the
               xlockmore address space, which includes the shadow password
PLATFORM:      FreeBSD versions prior to and including 4.0
               NetBSD versions prior to and including 1.4.2
               OpenBSD versions prior to and including 2.6
               Debian Linux Version 2.1
               SCO Skunkware
DAMAGE:        The xlockmore program places password hashes into the
               initialized data section of memory.  Permissions are dropped
               after the users hash is read. A malicious individual can
               retrive the hashes and run a cracker program to obtain passwords.
SOLUTION:      Follow the recommendations outlined by the advisory.
VULNERABILITY  The risk is HIGH, due to the possible compromise of system
ASSESSMENT:    passwords and the exploit is publicly available.

 [******  Begin Beyond-Security's SecuriTeam Advisory******]

Initialized data overflow in Xlock


An implementation flaw in xlock allows global variables in the initialized data
section of memory to be overwritten.  This opens a security hole where local
users can view the contents of xlock's memory - including the shadowed password
file - after root privileges have been dropped.


Vulnerable systems:
All versions of xlockmore prior to and including 4.16 are vulnerable.

The xlock program locks an X server until a valid password is entered. The
command line option -mode provides a user with a mechanism to change the default
display shown when the X server is locked. Xlock is installed with privileges to
obtain password information, although these are dropped as quickly as possible.
An overflow in the -mode command line option allows a malicious attacker to
reveal arbitrary portions of xlock's address space including the shadow password

The buffer overflow in xlock is not a traditional overflow since all privileges
have been dropped. The global variables overflowed are in the initialized data
section (.data) of memory and shellcode is not used for exploitation.

Upon initialization, xlock reads the shadow password file to obtain the current
users password hash, and then immediately relinquishes privileges. The password
hashes, including those not belonging to the user running xlock, are stored in
memory and continue to be accessible by xlock.

When the -mode command line option is specified, a strcpy() occurs in the
function checkResources(). The argument to -mode is copied into a small buffer
allocated on the initialized data section (.data) called old_default_mode. If an
arbitrarily large command line argument is specified, numerous global variables
in the initialized data section will be overrun, including: genTable, modeTable,
cmdlineTable, earlyCmdlineTable, and opDesc.

When an unknown -mode type is specified, for example when a large command line
option is provided, the program aborts using a function called Syntax() defined
in resources.c. The purpose of the Syntax() function is to provide information
regarding any "bad command line options" and then print a complete list of the
correct options.

The Syntax() function utilizes the global variable opDesc which can be
overwritten via the command line argument to -mode. The opDesc buffer is
allocated as an array of OptionStruct structures, each containing two character
pointers as defined in mode.h. The first pointer provides the name of a command
line option and the second a description of the option.

The Syntax() function walks the array of OptionStruct structures in opDesc
printing both the name and description of the command line options. Overwriting
the opDesc buffer with addresses pointing to the shadow password file stored in
memory results in the Syntax() function printing the shadow password file
instead of the command line

An official xlockmore patch is available at:


Download either xlockmore-4.16.1.tar.gz or xlockmore-4.16-4.16.1.diff.gz.

Vendor Information:


The vulnerable xlockmore is distributed as part of the FreeBSD port collection
in versions prior to and including 4.0. A new version of xlockmore can be
obtained by downloading a new port skeleton from:


The vulnerable xlockmore is distributed as part of the NetBSD packages
collection in versions prior to and including 1.4.2. Information regarding the
package collection is available from:

Further information for upgrading the xlockmore package can be obtained from:



The vulnerable xlockmore is distributed as part of the OpenBSD port collection
in versions prior to and including 2.6. OpenBSD 2.7 will ship with the issue
resolved. An OpenBSD 2.6 patch is available from:

OpenBSD has adopted a password scheme which utilizes a 128 bit salted, 2^8 round
blowfish hash specifically designed such that it cannot be optimized. Further information regarding the password scheme and the limitations of cracking OpenBSD passwords is available from:

Debian GNU/Linux

The vulnerable xlockmore problem was distributed with Debian 2.1 although Debian
2.2 and above are not exploitable since they use PAM. Debian updates are
available from:

Source archives:

Alpha architecture:

Intel ia32 architecture: 

Motorola 680x0 architecture:

Sun Sparc architecture:


TurboLinux currently does not utilize shadowed password files, although updates
for the xlockmore package and srpm are available from:


For additional security updates, TurboLinux advisories, and security alert
mailing list information, please visit

SCO OpenServer and UnixWare

Xlockmore is available as part of SCO Skunkware. A new version of xlockmore that
addresses this security vulnerability is available from:

Additional information

The information has been provided by: seclabs@NAI.COM 

 [******  End Beyond-Security's SecuriTeam Advisory******]

CIAC wishes to acknowledge the contributions of Beyond-Security's SecuriTeam for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    World Wide Web:
                     (same machine -- either one will work)
    Anonymous FTP:
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH