TUCoPS :: Unix :: General

TUCoPS :: Unix :: General :: ciacl001.htm
Linux/BSD Initialized data overflow in Xlockmore

Linux/BSD Initialized data overflow in Xlockmore Privacy and Legal Notice CIAC INFORMATION BULLETIN L-001: Linux/BSD Initialized data overflow in Xlockmore October 9, 2000 21:00 GMT

PROBLEM: The xlockmore program has a buffer overflow issue with the use of the '-mode' option. It is possible to read a part of the xlockmore address space, which includes the shadow password file. PLATFORM: FreeBSD versions prior to and including 4.0 NetBSD versions prior to and including 1.4.2 OpenBSD versions prior to and including 2.6 Debian Linux Version 2.1 SCO Skunkware DAMAGE: The xlockmore program places password hashes into the initialized data section of memory. Permissions are dropped after the users hash is read. A malicious individual can retrive the hashes and run a cracker program to obtain passwords. SOLUTION: Follow the recommendations outlined by the advisory. ______________________________________________________________________________ VULNERABILITY The risk is HIGH, due to the possible compromise of system ASSESSMENT: passwords and the exploit is publicly available. ______________________________________________________________________________ [****** Begin Beyond-Security's SecuriTeam Advisory******] Title 30/5/2000 Initialized data overflow in Xlock Summary An implementation flaw in xlock allows global variables in the initialized data section of memory to be overwritten. This opens a security hole where local users can view the contents of xlock's memory - including the shadowed password file - after root privileges have been dropped. Details Vulnerable systems: All versions of xlockmore prior to and including 4.16 are vulnerable. The xlock program locks an X server until a valid password is entered. The command line option -mode provides a user with a mechanism to change the default display shown when the X server is locked. Xlock is installed with privileges to obtain password information, although these are dropped as quickly as possible. An overflow in the -mode command line option allows a malicious attacker to reveal arbitrary portions of xlock's address space including the shadow password file. The buffer overflow in xlock is not a traditional overflow since all privileges have been dropped. The global variables overflowed are in the initialized data section (.data) of memory and shellcode is not used for exploitation. Upon initialization, xlock reads the shadow password file to obtain the current users password hash, and then immediately relinquishes privileges. The password hashes, including those not belonging to the user running xlock, are stored in memory and continue to be accessible by xlock. When the -mode command line option is specified, a strcpy() occurs in the function checkResources(). The argument to -mode is copied into a small buffer allocated on the initialized data section (.data) called old_default_mode. If an arbitrarily large command line argument is specified, numerous global variables in the initialized data section will be overrun, including: genTable, modeTable, cmdlineTable, earlyCmdlineTable, and opDesc. When an unknown -mode type is specified, for example when a large command line option is provided, the program aborts using a function called Syntax() defined in resources.c. The purpose of the Syntax() function is to provide information regarding any "bad command line options" and then print a complete list of the correct options. The Syntax() function utilizes the global variable opDesc which can be overwritten via the command line argument to -mode. The opDesc buffer is allocated as an array of OptionStruct structures, each containing two character pointers as defined in mode.h. The first pointer provides the name of a command line option and the second a description of the option. The Syntax() function walks the array of OptionStruct structures in opDesc printing both the name and description of the command line options. Overwriting the opDesc buffer with addresses pointing to the shadow password file stored in memory results in the Syntax() function printing the shadow password file instead of the command line options. Solution: An official xlockmore patch is available at: ftp://ftp://ftp.tux.org/pub/tux/bagleyd/xlockmore/index.html Download either xlockmore-4.16.1.tar.gz or xlockmore-4.16-4.16.1.diff.gz. Vendor Information: FreeBSD The vulnerable xlockmore is distributed as part of the FreeBSD port collection in versions prior to and including 4.0. A new version of xlockmore can be obtained by downloading a new port skeleton from: http://www.freebsd.org/ports/ NetBSD The vulnerable xlockmore is distributed as part of the NetBSD packages collection in versions prior to and including 1.4.2. Information regarding the package collection is available from: http://www.netbsd.org/Documentation/software/packages.html Further information for upgrading the xlockmore package can be obtained from: ftp://ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.html OpenBSD The vulnerable xlockmore is distributed as part of the OpenBSD port collection in versions prior to and including 2.6. OpenBSD 2.7 will ship with the issue resolved. An OpenBSD 2.6 patch is available from: http://www.openbsd.org/errata26.html#xlockmore OpenBSD has adopted a password scheme which utilizes a 128 bit salted, 2^8 round blowfish hash specifically designed such that it cannot be optimized. Further information regarding the password scheme and the limitations of cracking OpenBSD passwords is available from: http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3 http://www.openbsd.org/events.html#usenix99 Debian GNU/Linux The vulnerable xlockmore problem was distributed with Debian 2.1 although Debian 2.2 and above are not exploitable since they use PAM. Debian updates are available from: Source archives: http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.diff.gz http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.dsc Alpha architecture: http://security.debian.org/dists/stable/updates/binary-alpha/xlockmoregl_4.12-4.1_alpha.deb http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore4.12-4.1_alpha.deb Intel ia32 architecture: http://security.debian.org/dists/stable/updates/binary-i386/xlockmore-l_4.12-4.1_i386.deb http://security.debian.org/dists/stable/updates/binary-i386/xlockmore_.12-4.1_i386.deb Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore-l_4.12-4.1_m68k.deb http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore_.12-4.1_m68k.deb Sun Sparc architecture: http://security.debian.org/dists/stable/updates/binary-sparc/xlockmoregl_4.12-4.1_sparc.deb http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore4.12-4.1_sparc.deb TurboLinux TurboLinux currently does not utilize shadowed password files, although updates for the xlockmore package and srpm are available from: ftp://ftp://ftp.turbolinux.com/pub/updates/6.0/security/xlockmore-4.16.1-1.i86.rpm ftp://ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xlockmore-4.16.1-1.src.pm For additional security updates, TurboLinux advisories, and security alert mailing list information, please visit http://www.turbolinux.com/security/index.html SCO OpenServer and UnixWare Xlockmore is available as part of SCO Skunkware. A new version of xlockmore that addresses this security vulnerability is available from: http://www.sco.com/skunkware Additional information The information has been provided by: seclabs@NAI.COM [****** End Beyond-Security's SecuriTeam Advisory******]

CIAC wishes to acknowledge the contributions of Beyond-Security's SecuriTeam for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]