Date: Sun, 22 Aug 1999 23:51:20 -0400 From: Stan Bubrouski <security@MailAndNews.com> To: linux-alert@redhat.com Subject: [linux-security] Buffer Overflows in WindowMaker/LibPropList Back in June when I was fooling around with some programs I was writing, I found a serious buffer overflow in WindowMaker 0.60.0 and 0.52, but I assume previous versions are vulnerable as well. By replacing argv[0] of a program with a string longer than 249 characters, it is possible to overflow one of the programs buffers, causing it, and possibly X as well to crash. It is assumed this can be exploited remotely if you run an insecure X server. By default some distributions of Linux like RedHat come with X configured to allow everyone in the outside world access to your X-server. Anyway here is the guilty section of code, from wdefualts.c: ... char buffer[256]; ... ... if (class && instance) key1 = PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),class)); else The problem is obvious. But it gets worse. That line of code occurs more than once in WindowMaker, and besides that there are several other overflows possible by using long program names. To see if your vulnerable, fire up WindowMaker and in an xterm window or whatever try: doexec xbill `perl -e'print "A" x 250;'` That will replace argv[0] with 250 A's. Doexec is a program that comes installed by default on RedHat systems, all it does is relace argv[x] values, I used it because it's the easiest way to illustrate the problem. Unfortunately the problem gets even more complicated. While I tried to figure out a fix for the problem, I started getting crashes from LibPropList. Apparently that too is full of bad programming as well. Because PLMakeString() overflows when it recieves large strings, over 256 characters in length I think. I discovered this over 2 months ago so I may have left something out. WindowMaker 0.60.0 has some sort of thing going that catches crashes but it may still be exploitable, you'll have to try it to see what I mean. Version 0.52 is definately exploitable. If you wanna get more details just start windowmaker from gdb and watch it go bye-bye. -Stan Bubrouski root@mailandnews.com ------------------------------------------------------------ Stan Bubrouski root@mailandnews.com ------------------------------------------------------------ -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null