![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 29 May 2000 15:47:52 -0700
From: COVERT Labs <seclabs@NAI.COM>
Subject: [COVERT-2000-06] Initialized Data Overflow in Xlock
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________
Network Associates, Inc.
COVERT Labs Security Advisory
May 29, 2000
Initialized Data Overflow in Xlock
COVERT-2000-06
______________________________________________________________________
o Synopsis
An implementation vulnerability in xlock allows global variables in
the initialized data section of memory to be overwritten. This
creates the potential for local users to view the contents of xlock's
memory, including the shadowed password file, after root privileges
have been dropped.
RISK FACTOR: HIGH
______________________________________________________________________
o Vulnerable Systems
All versions of xlockmore prior to and including 4.16 contain the
overflow, although not every vendor's implementation is exploitable
depending on how the shadowed password file is opened.
Vendors known to distribute vulnerable versions of xlockmore as
either
part of the base operating system or as third-party downloadable
solutions include: FreeBSD, NetBSD, OpenBSD, Debian GNU/Linux,
TurboLinux, SCO OpenServer and UnixWare.
______________________________________________________________________
o Vulnerability Overview
The xlock program locks an X server until a valid password is
entered.
The command line option -mode provides a user with a mechanism to
change the default display shown when the X server is locked. xlock
is installed with privileges to obtain password information, although
these are dropped as quickly as possible. An overflow in the -mode
command line option allows a malicious attacker to reveal arbitrary
portions of xlock's address space including the shadow password file.
______________________________________________________________________
o Technical Information
The buffer overflow in xlock is not a traditional overflow since all
privileges have been dropped. The global variables overflowed are in
the initialized data section (.data) of memory and shellcode is not
used for exploitation.
Upon initialization, xlock reads the shadow password file to obtain
the current users password hash then immediately relinquishes
privileges. The password hashes, including those not belonging to
the user running xlock, are stored in memory and continue to be
accessible by xlock.
When the -mode command line option is specified, a strcpy() occurs in
the function checkResources(). The argument to -mode is copied into
a small buffer allocated on the initialized data section (.data)
called old_default_mode. If an arbitrarily large command line
argument is specified, numerous global variables in the initialized
data section will be overrun, including: genTable, modeTable,
cmdlineTable, earlyCmdlineTable, and opDesc.
When an unknown -mode type is specified, as will occur when a large
command line option is provided, the program aborts using a function
called Syntax() defined in resources.c. The purpose of the Syntax()
function is to provide information regarding any "bad command line
options" and then print a complete list of the correct options.
The Syntax() function utilizes the global variable opDesc which can
can be overwritten via the command line argument to -mode. The opDesc
buffer is allocated as an array of OptionStruct structures, each
containing two character pointers as defined in mode.h. The first
pointer provides the name of a command line option and the second a
description of the option.
The Syntax() function walks the array of OptionStruct structures in
opDesc printing both the name and description of the command line
options. Overwriting the opDesc buffer with addresses pointing to
the shadow password file stored in memory results in the Syntax()
function printing the shadow password file instead of the command
line options.
______________________________________________________________________
o Resolution
An official xlockmore patch is available at:
ftp://ftp.tux.org/pub/tux/bagleyd/xlockmore/index.html
either xlockmore-4.16.1.tar.gz or xlockmore-4.16-4.16.1.diff.gz.
Vendor Information:
FreeBSD
The vulnerable xlockmore is distributed as part of the FreeBSD port
collection in versions prior to and including 4.0. A new version of
xlockmore can be obtained by downloading a new port skeleton from:
http://www.freebsd.org/ports/
NetBSD
The vulnerable xlockmore is distributed as part of the NetBSD
packages collection in versions prior to and including 1.4.2.
Information regarding the package collection is available from:
http://www.netbsd.org/Documentation/software/packages.html
and further information for upgrading the xlockmore package can be
obtained from:
ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.h
ml
OpenBSD
The vulnerable xlockmore is distributed as part of the OpenBSD port
collection in versions prior to and including 2.6. OpenBSD 2.7 will
ship with the issue resolved. An OpenBSD 2.6 patch is available from:
http://www.openbsd.org/errata26.html#xlockmore
OpenBSD has adopted a password scheme which utilizes a 128 bit
salted, 2^8 round blowfish hash specifically designed such that it
cannot be optimized. Further information regarding the password
scheme and the limitations of cracking OpenBSD passwords is available
from:
http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3
http://www.openbsd.org/events.html#usenix99
Debian GNU/Linux
The vulnerable xlockmore problem was distributed with Debian 2.1
although Debian 2.2 and above are not exploitable since they use PAM.
Debian updates are available from:
Source archives:
http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-
.1.diff.gz
http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-
.1.dsc
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore
gl_4.12-4.1_alpha.deb
http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore
4.12-4.1_alpha.deb
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/xlockmore-
l_4.12-4.1_i386.deb
http://security.debian.org/dists/stable/updates/binary-i386/xlockmore_
.12-4.1_i386.deb
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore-
l_4.12-4.1_m68k.deb
http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore_
.12-4.1_m68k.deb
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore
gl_4.12-4.1_sparc.deb
http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore
4.12-4.1_sparc.deb
TurboLinux
TurboLinux currently does not utilize shadowed password files,
although
updates for the xlockmore package and srpm are available from:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/xlockmore-4.16.1-1.i
86.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xlockmore-4.16.1-1.src.
pm
For additional security updates, TurboLinux advisories, and security
alert mailing list information, please visit
http://www.turbolinux.com/security/index.html
SCO OpenServer and UnixWare
Xlockmore is available as part of SCO Skunkware. A new version of
xlockmore that addresses this security vulnerability is available
from:
http://www.sco.com/skunkware
______________________________________________________________________
o Credits
This vulnerability was discovered by Brock Tellier with additional
research by Anthony Osborne at the COVERT Labs of PGP Security, Inc.
______________________________________________________________________
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to covert@nai.com
______________________________________________________________________
o Legal Notice
The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc. It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.
Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.
______________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>
iQA/AwUBOTLzl6F4LLqP1YESEQICZQCeKXnT5+U7ClfwWNAPl7XBvkhuQ6MAoPjl
YYp6A1xsjCIpnlFJVWPzKcBl
=Aj7k
-----END PGP SIGNATURE-----