COMMAND
/usr/X11/bin/xlock
SYSTEMS AFFECTED
Data General Corporation
FreeBSD, Inc.
Hewlett-Packard Company
IBM Corporation
LINUX
Sun Microsystems, Inc.
PROBLEM
xlock is a program that allows a user to "lock" an X terminal. A
buffer overflow condition exists in some implementations of
xlock. It is possible attain unauthorized access to a system by
engineering a particular environment and calling a vulnerable
version of xlock that has setuid or setgid bits set.
David Hedley also made exploit for Solaris 2.5.x (not yet
available, but go visit xlock vulnerability in Linux section if
you hungry for exploit in xlock).
The problem lies in xlock trusting various bits of the environment
and its command line arguments. Specifically:
$HOME
$XAPPLRESDIR
$XUSERFILESEARCHPATH
$XFILESEARCHPATH
the classname (specified via the -name parameter)
the mode (specified via the -mode parameter)
To see if you are vulnerable, simply do:
xlock -name xxxxxxxxxxxxxxxxxxxxxxxx <insert lots of x's here>
The length of the parameter has to exceed 1024 bytes (as the
buffer being overflowed is 1024 characters). e.g. try: xlock -name
xxxxx<insert 1000+x's>
If xlock crashes with a segmentation fault or similar, then you
are vulnerable.
SOLUTION
Install a patch from your vendor if it exist. Below is a list of
vendor with their responses to this problem.
Data General Corporation
========================
The xlock sources (xlockmore-3.7) that DG includes in its
contributed software package have been modified to remove this
vulnerability. These will be available when release 8 comes out.
We also recommend that our customers who have the current version
should change the sprintf calls in resource.c to snprintf calls,
rebuild and reinstall the package.
FreeBSD, Inc.
=============
The xlockmore version we ship in our ports collection is
vulnerable in all shipped releases. The port in FreeBSD-current
is fixed. Solution is to install the latest xlockmore version
(4.02).
Hewlett-Packard Company
=======================
We ship an suid root program vuelock that is based on xlock. It
does have the vulnerability. The only workaround is to remove
the executable, the patch is "in process".
IBM Corporation
===============
AIX is vulnerable to the conditions described here. Fix:
AIX 3.2: APAR IX68189
AIX 4.1: APAR IX68190
AIX 4.2: APAR IX68191
LINUX
=====
Red Hat:
Not vulnerable
Caldera:
Not vulnerable
Debian:
An updated package is on the Debian site
SuSE:
ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/S.u.S.E.-4.4.1/xap1/xlock
And in general the new Xlockmore release fixes the problems.
Sun Microsystems, Inc.
======================
The vulnerability in xlock is fixed by the following patches:
OS version Patch ID
__________ ________
SunOS 5.5.1 103566-20
SunOS 5.5.1_x86 105109-01
SunOS 5.5 103210-20
SunOS 5.5_x86 105108-01
SunOS 5.4 102057-38
SunOS 5.4_x86 105110-01
SunOS 5.3 101362-50
SunOS 4.1.4 100478-02
SunOS 4.1.3_U1 100478-02
If you run system witout patch, apply one of following workarounds
to protect yourself. Find and disable any copies of xlock that
exist on your system and that have the setuid or setgid bits set.
Install a version of xlock known to be immune to this
vulnerablility. One such supported tool is xlockmore. The latest
version of this tool is 4.02, and you should ensure that this is
the version you are using. This utility can be obtained from the
following site:
ftp://ftp.x.org/contrib/applications/xlockmore-4.02.tar.gz