[LWN Logo]

Date: Sun, 22 Aug 1999 23:51:20 -0400
From: Stan Bubrouski <security@MailAndNews.com>
To: linux-alert@redhat.com
Subject: [linux-security] Buffer Overflows in WindowMaker/LibPropList

Back in June when I was fooling around with some programs I was writing, I 
found a serious buffer overflow in WindowMaker 0.60.0 and 0.52, but I assume 
previous versions are vulnerable as well. By replacing argv[0] of a program 
with a string longer than 249 characters, it is possible to overflow one of 
the programs buffers, causing it, and possibly X as well to crash. It is 
assumed this can be exploited remotely if you run an insecure X server. By 
default some distributions of Linux like RedHat come with X configured to 
allow everyone in the outside world access to your X-server. Anyway here is 
the guilty section of code, from wdefualts.c:

...
   char buffer[256];
...
...
    if (class && instance)
      key1 = PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),class));
    else


The problem is obvious. But it gets worse. That line of code occurs more than 
once in WindowMaker, and besides that there are several other overflows 
possible by using long program names. To see if your vulnerable, fire up 
WindowMaker and in an xterm window or whatever try:

doexec xbill `perl -e'print "A" x 250;'`

That will replace argv[0] with 250 A's.  Doexec is a program that comes 
installed by default on RedHat systems, all it does is relace argv[x] values, 
I used it because it's the easiest way to illustrate the problem. 
Unfortunately the problem gets even more complicated. While I tried to figure 
out a fix for the problem, I started getting crashes from LibPropList. 
Apparently that too is full of bad programming as well.  Because 
PLMakeString() overflows when it recieves large strings, over 256 characters 
in length I think.  I discovered this over 2 months ago so I may have left 
something out. WindowMaker 0.60.0 has some sort of thing going that catches 
crashes but it may still be exploitable, you'll have to try it to see what I 
mean. Version 0.52 is definately exploitable.  If you wanna get more details 
just start windowmaker from gdb and watch it go bye-bye.

-Stan Bubrouski
root@mailandnews.com

------------------------------------------------------------
Stan Bubrouski
root@mailandnews.com
------------------------------------------------------------

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null