COMMAND

    WindowMaker

SYSTEMS AFFECTED

    WindowMaker 0.60.0 and 0.52 (at least)

PROBLEM

    Stan Bubrouski found following.   He was fooling around with  some
    programs he  was writing  and found  a serious  buffer overflow in
    WindowMaker 0.60.0 and 0.52,  but it is assumed  previous versions
    are vulnerable as well. By  replacing argv[0] of a program  with a
    string longer than 249 characters, it is possible to overflow  one
    of the  programs buffers,  causing it,  and possibly  X as well to
    crash.  It is  assumed this can be  exploited remotely if you  run
    an insecure X server.  By default some distributions of Linux like
    RedHat come  with X  configured to  allow everyone  in the outside
    world access to your X-server.  Anyway here is the guilty  section
    of code, from wdefualts.c:

        ...
           char buffer[256];
        ...
        ...
            if (class && instance)
              key1 = PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),class));
            else

    The problem is  obvious.  But  it gets worse.   That line of  code
    occurs  more  than  once  in  WindowMaker,  and besides that there
    are several other overflows possible by using long program  names.
    To see  if your  vulnerable, fire  up WindowMaker  and in an xterm
    window or whatever try:

        doexec xbill `perl -e'print "A" x 250;'`

    That will replace argv[0] with 250 A's.  Doexec is a program  that
    comes  installed  by  default  on  RedHat  systems, all it does is
    relace argv[x] values.   Unfortunately the problem gets  even more
    complicated.   While tried  to figure  out a  fix for the problem,
    Stan started  getting crashes  from LibPropList.   Apparently that
    too is full  of bad programming  as well.   Because PLMakeString()
    overflows when it recieves  large strings, over 256  characters in
    length he thinks.

    WindowMaker  0.60.0  has  some  sort  of  thing going that catches
    crashes but  it may  still be  exploitable, you'll  have to try it
    to see for yourself.  Version 0.52 is definately exploitable.   If
    you wanna  get more  details just  start windowmaker  from gdb and
    watch it go bye-bye.

SOLUTION

    Running  programs  with  long  argv[0]'sis  just another way for a
    user to shoot themselves in the foot by running a program that  is
    doing something nasty.  One more  place to put a trojan but  thats
    about as far reaching as that goes. The libPropList problem  might
    be a bit bigger as at one time some of GNOME was/is using it.