COMMAND
xlock (xlockmore)
SYSTEMS AFFECTED
All versions of xlockmore prior to and including 4.16
PROBLEM
xlockmore has a localhost attack against it which allows recovery
of the encrypted hash of the root password. The damage to systems
using DES passwords from this attack is pretty heavy, but to
systems with a well-chosen root password under blowfish encoding
(see crypt(3)) the impact is much reduced. (OpenBSD do not
consider this a localhost root hole in the default install, since
they have not seen a fast blowfish cracker yet).
To quote from the NAI advisory (who originally found it):
"The xlock program locks an X server until a valid password is
entered. The command line option -mode provides a user with a
mechanism to change the default display shown when the X server
is locked. xlock is installed with privileges to obtain
password information, although these are dropped as early as
possible. An overflow in the -mode command line option allows
a malicious attacker to reveal arbitrary portions of xlock's
address space including the shadow password file."
Again, quoting from the NAI advisory:
"The buffer overflow in xlock is not a traditional overflow
since all privileges have been dropped, the global variables
overflowed are in the initialized data section (.data) of
memory and shellcode is not used for exploitation.
"Upon initialisation xlock reads the shadow password file to
obtain the current users password hash then immediately
relinquishes privileges. The password hashes, including those
not belonging to the user running xlock, are stored in memory
and continue to be accessible by xlock.
"When the -mode command line option is specified a strcpy()
occurs in the function checkResources(). The argument to -mode
is copied into a small buffer allocated on the initialized data
section (.data) called old_default_mode. If an arbitrarily
large command line argument is specified, numerous global
variables in the initialized data section will be overrun,
including genTable, modeTable, cmdlineTable, earlyCmdlineTable,
and opDesc.
"When an unknown -mode type is specified, as will occur when a
large command line option is provided, the program aborts using
a function called Syntax() defined in resources.c. The purpose
of the Syntax() function is to provide information regarding
any "bad command line options" and then print a complete list
of the correct options.
"The Syntax() function utilizes the global variable opDesc
which can be overwritten via the command line argument to -mode.
The opDesc buffer is allocated as an array of OptionStruct
structures each containing two character pointers as defined in
mode.h. The first pointer provides the name of a command line
option and the second a description of the option.
"The Syntax() function walks the array of OptionStruct
structures in opDesc printing both the name and description of
the command line options. Overwritting the opDesc buffer with
addresses pointing to the shadow password file stored in memory
results in the Syntax() function printing the shadow password
file instead of the command line options."
This vulnerability was discovered by Brock Tellier with additional
research by Anthony Osborne at the COVERT Labs of PGP Security.
SOLUTION
Versions of xlockmore up to, and including, version 4.16 are
vulnerable. To find out the version of xlockmore installed on
your NetBSD system, you can use pkg_info(1).
If you have version 4.16 or lower, you should upgrade to version
4.16.1 of xlockmore, which has been part of the NetBSD packages
collection since 11th May 2000. If xlockmore is not installed on
your system, no output will be generated. There are also
precompiled binary packages of xlockmore-4.16.1 for some NetBSD
ports available from:
ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.html
A source code patch exists, which remedies this problem for
OpenBSD.
The vulnerable xlockmore problem was distributed with Debian 2.1
although Debian 2.2 and above are not exploitable since they use
PAM. Debian updates are available from:
Source archives:
http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.diff.gz
http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.dsc
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/xlockmoregl_4.12-4.1_alpha.deb
http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore4.12-4.1_alpha.deb
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/xlockmore-l_4.12-4.1_i386.deb
http://security.debian.org/dists/stable/updates/binary-i386/xlockmore_.12-4.1_i386.deb
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore-l_4.12-4.1_m68k.deb
http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore_.12-4.1_m68k.deb
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/xlockmoregl_4.12-4.1_sparc.deb
http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore4.12-4.1_sparc.deb
TurboLinux currently does not utilize shadowed password files,
although updates for the xlockmore package and srpm are available
from:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/xlockmore-4.16.1-1.i86.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xlockmore-4.16.1-1.src.pm
Xlockmore is available as part of SCO Skunkware. A new version of
xlockmore that addresses this security vulnerability is available
from:
http://www.sco.com/skunkware
An official xlockmore patch is available at:
ftp://ftp.tux.org/pub/tux/bagleyd/xlockmore/index.html
For Mandrake, upgrade to:
6.1/RPMS/xlockmore-4.16.1-1mdk.i586.rpm
6.1/SRPMS/xlockmore-4.16.1-1mdk.src.rpm
7.0/RPMS/xlockmore-4.16.1-1mdk.i586.rpm
7.0/SRPMS/xlockmore-4.16.1-1mdk.src.rpm
7.1/RPMS/xlockmore-4.16.1-1mdk.i586.rpm
7.1/SRPMS/xlockmore-4.16.1-1mdk.src.rpm