Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciacl001.htm

Linux/BSD Initialized data overflow in Xlockmore



Linux/BSD Initialized data overflow in Xlockmore Privacy and Legal Notice

CIAC INFORMATION BULLETIN

L-001: Linux/BSD Initialized data overflow in Xlockmore

October 9, 2000 21:00 GMT
PROBLEM:       The xlockmore program has a buffer overflow issue with the
               use of the '-mode' option. It is possible to read a part of the
               xlockmore address space, which includes the shadow password
               file.
PLATFORM:      FreeBSD versions prior to and including 4.0
               NetBSD versions prior to and including 1.4.2
               OpenBSD versions prior to and including 2.6
               Debian Linux Version 2.1
               SCO Skunkware
DAMAGE:        The xlockmore program places password hashes into the
               initialized data section of memory.  Permissions are dropped
               after the users hash is read. A malicious individual can
               retrive the hashes and run a cracker program to obtain passwords.
SOLUTION:      Follow the recommendations outlined by the advisory.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH, due to the possible compromise of system
ASSESSMENT:    passwords and the exploit is publicly available.
______________________________________________________________________________

 [******  Begin Beyond-Security's SecuriTeam Advisory******]


Title
30/5/2000
Initialized data overflow in Xlock



Summary

An implementation flaw in xlock allows global variables in the initialized data
section of memory to be overwritten.  This opens a security hole where local
users can view the contents of xlock's memory - including the shadowed password
file - after root privileges have been dropped.



Details

Vulnerable systems:
All versions of xlockmore prior to and including 4.16 are vulnerable.

The xlock program locks an X server until a valid password is entered. The
command line option -mode provides a user with a mechanism to change the default
display shown when the X server is locked. Xlock is installed with privileges to
obtain password information, although these are dropped as quickly as possible.
An overflow in the -mode command line option allows a malicious attacker to
reveal arbitrary portions of xlock's address space including the shadow password
file.

The buffer overflow in xlock is not a traditional overflow since all privileges
have been dropped. The global variables overflowed are in the initialized data
section (.data) of memory and shellcode is not used for exploitation.

Upon initialization, xlock reads the shadow password file to obtain the current
users password hash, and then immediately relinquishes privileges. The password
hashes, including those not belonging to the user running xlock, are stored in
memory and continue to be accessible by xlock.

When the -mode command line option is specified, a strcpy() occurs in the
function checkResources(). The argument to -mode is copied into a small buffer
allocated on the initialized data section (.data) called old_default_mode. If an
arbitrarily large command line argument is specified, numerous global variables
in the initialized data section will be overrun, including: genTable, modeTable,
cmdlineTable, earlyCmdlineTable, and opDesc.

When an unknown -mode type is specified, for example when a large command line
option is provided, the program aborts using a function called Syntax() defined
in resources.c. The purpose of the Syntax() function is to provide information
regarding any "bad command line options" and then print a complete list of the
correct options.

The Syntax() function utilizes the global variable opDesc which can be
overwritten via the command line argument to -mode. The opDesc buffer is
allocated as an array of OptionStruct structures, each containing two character
pointers as defined in mode.h. The first pointer provides the name of a command
line option and the second a description of the option.

The Syntax() function walks the array of OptionStruct structures in opDesc
printing both the name and description of the command line options. Overwriting
the opDesc buffer with addresses pointing to the shadow password file stored in
memory results in the Syntax() function printing the shadow password file
instead of the command line
options.

Solution:
An official xlockmore patch is available at:

ftp://ftp://ftp.tux.org/pub/tux/bagleyd/xlockmore/index.html

Download either xlockmore-4.16.1.tar.gz or xlockmore-4.16-4.16.1.diff.gz.

Vendor Information:

FreeBSD

The vulnerable xlockmore is distributed as part of the FreeBSD port collection
in versions prior to and including 4.0. A new version of xlockmore can be
obtained by downloading a new port skeleton from:
http://www.freebsd.org/ports/

NetBSD

The vulnerable xlockmore is distributed as part of the NetBSD packages
collection in versions prior to and including 1.4.2. Information regarding the
package collection is available from:
http://www.netbsd.org/Documentation/software/packages.html

Further information for upgrading the xlockmore package can be obtained from:

ftp://ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.html

OpenBSD

The vulnerable xlockmore is distributed as part of the OpenBSD port collection
in versions prior to and including 2.6. OpenBSD 2.7 will ship with the issue
resolved. An OpenBSD 2.6 patch is available from:
http://www.openbsd.org/errata26.html#xlockmore

OpenBSD has adopted a password scheme which utilizes a 128 bit salted, 2^8 round
blowfish hash specifically designed such that it cannot be optimized. Further information regarding the password scheme and the limitations of cracking OpenBSD passwords is available from:

http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3
http://www.openbsd.org/events.html#usenix99

Debian GNU/Linux

The vulnerable xlockmore problem was distributed with Debian 2.1 although Debian
2.2 and above are not exploitable since they use PAM. Debian updates are
available from:

Source archives:
http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.diff.gz
http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.dsc

Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/xlockmoregl_4.12-4.1_alpha.deb
http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore4.12-4.1_alpha.deb

Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/xlockmore-l_4.12-4.1_i386.deb 
http://security.debian.org/dists/stable/updates/binary-i386/xlockmore_.12-4.1_i386.deb 

Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore-l_4.12-4.1_m68k.deb
http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore_.12-4.1_m68k.deb

Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/xlockmoregl_4.12-4.1_sparc.deb
http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore4.12-4.1_sparc.deb

TurboLinux

TurboLinux currently does not utilize shadowed password files, although updates
for the xlockmore package and srpm are available from:

ftp://ftp://ftp.turbolinux.com/pub/updates/6.0/security/xlockmore-4.16.1-1.i86.rpm
ftp://ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xlockmore-4.16.1-1.src.pm

For additional security updates, TurboLinux advisories, and security alert
mailing list information, please visit
http://www.turbolinux.com/security/index.html

SCO OpenServer and UnixWare

Xlockmore is available as part of SCO Skunkware. A new version of xlockmore that
addresses this security vulnerability is available from:
http://www.sco.com/skunkware



Additional information

The information has been provided by: seclabs@NAI.COM 


 [******  End Beyond-Security's SecuriTeam Advisory******]



CIAC wishes to acknowledge the contributions of Beyond-Security's SecuriTeam for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH