Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.114 -- NetBSD Security Advisory 2000-003 Exploitable Vulnerability in Xlockmore 01 June 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xlockmore Vendor: NetBSD Operating System: NetBSD Platform: N/A Impact: Access Privileged Data Access Required: Local, Any - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-003 ================================= Topic: Exploitable Vulnerability in Xlockmore Version: NetBSD pkgsrc prior to 11th May 2000. Severity: xlock can be manipulated to print the shadow password information Abstract ======== The advisory outlines how xlock can be manipulated to print the shadow password information even though it drops root privileges before an overflow occurs. To quote from the NAI advisory: "The xlock program locks an X server until a valid password is entered. The command line option -mode provides a user with a mechanism to change the default display shown when the X server is locked. xlock is installed with privileges to obtain password information, although these are dropped as early as possible. An overflow in the -mode command line option allows a malicious attacker to reveal arbitrary portions of xlock's address space including the shadow password file." Technical Details ================= Again, quoting from the NAI advisory: "The buffer overflow in xlock is not a traditional overflow since all privileges have been dropped, the global variables overflowed are in the initialized data section (.data) of memory and shellcode is not used for exploitation. "Upon initialisation xlock reads the shadow password file to obtain the current users password hash then immediately relinquishes privileges. The password hashes, including those not belonging to the user running xlock, are stored in memory and continue to be accessible by xlock. "When the -mode command line option is specified a strcpy() occurs in the function checkResources(). The argument to -mode is copied into a small buffer allocated on the initialized data section (.data) called old_default_mode. If an arbitrarily large command line argument is specified, numerous global variables in the initialized data section will be overrun, including genTable, modeTable, cmdlineTable, earlyCmdlineTable, and opDesc. "When an unknown -mode type is specified, as will occur when a large command line option is provided, the program aborts using a function called Syntax() defined in resources.c. The purpose of the Syntax() function is to provide information regarding any "bad command line options" and then print a complete list of the correct options. "The Syntax() function utilizes the global variable opDesc which can be overwritten via the command line argument to -mode. The opDesc buffer is allocated as an array of OptionStruct structures each containing two character pointers as defined in mode.h. The first pointer provides the name of a command line option and the second a description of the option. "The Syntax() function walks the array of OptionStruct structures in opDesc printing both the name and description of the command line options. Overwritting the opDesc buffer with addresses pointing to the shadow password file stored in memory results in the Syntax() function printing the shadow password file instead of the command line options." Solutions and Workarounds ========================= Versions of xlockmore up to, and including, version 4.16 are vulnerable. To find out the version of xlockmore installed on your NetBSD system, you can use pkg_info(1): pkg_info -e xlockmore If you have version 4.16 or lower, you should upgrade to version 4.16.1 of xlockmore, which has been part of the NetBSD packages collection since 11th May 2000. If xlockmore is not installed on your system, no output will be generated. If a vulnerable version of xlockmore is installed, then you can immediately remove the vulnerability by deleting the package - as root, type pkg_delete -v xlockmore To upgrade to version 4.16.1 of xlockmore, first make sure that you have a version of the pkgsrc hierarchy from 11th May 2000 or later. (See http://www.netbsd.org/Sites/net.html for ways to obtain NetBSD, and pkgsrc, its packages collection.) You can then install the new version of the package: cd pkgsrc/x11/xlockmore; make clean; make install There are also precompiled binary packages of xlockmore-4.16.1 for some NetBSD ports available from: ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.html Thanks To ========= Jim Magdych <Jim_Magdych@NAI.com> Security Research Manager, Network Associates, Inc, for finding the vulnerability and alerting us, and David A. Bagley <bagleyd@bigfoot.com>, the xlock maintainer, who has provided an offical patch. Revision History ================ 2000/05/16 original draft. 2000/05/27 polish for release. More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-003.txt,v 1.3 2000/05/28 02:20:45 sommerfeld Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCUAwUBOTG4Fj5Ru2/4N2IFAQF+3wP44VobthmufU0MYidm/AxL880DOIOfJJC5 Grn/fSwY9gAyrP24SlXNNDmvRinMFexlJR2ZopRyuX+0MFxBKquHdXdaD7qwGRpP H8HAydMb5bV5+AZGX+achDWPWI9ikYZNM8h7NcujN9gCcmE7M371ordLSj7/em1b U2Pnr8X+Qw== =2QWU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOXXVySh9+71yA2DNAQEo7QP+KS6RHa1UZHKfm4avlTAQhVzYyKpfgIJn IZsTjsNmbBhmBu5dV976cOyR2i4j2MBU9jt+4Tq0ygnDeKE8B/AyKrmE7qLIZ+MH zWNtZJ/22dVikAC4ipzXRe0YagJ/Zi5JkrjQ8LYjwbhD+hPgG8gi0+SuzWgpYHVy AYuA74U7Qds= =z80e -----END PGP SIGNATURE-----