From seclabs@nai.com Wed Jul 12 23:54:35 2000 From: COVERT Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 29 May 2000 15:47:52 -0700 Subject: [COVERT-2000-06] Initialized Data Overflow in Xlock [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory May 29, 2000 Initialized Data Overflow in Xlock COVERT-2000-06 ______________________________________________________________________ o Synopsis An implementation vulnerability in xlock allows global variables in the initialized data section of memory to be overwritten. This creates the potential for local users to view the contents of xlock's memory, including the shadowed password file, after root privileges have been dropped. RISK FACTOR: HIGH ______________________________________________________________________ o Vulnerable Systems All versions of xlockmore prior to and including 4.16 contain the overflow, although not every vendor's implementation is exploitable depending on how the shadowed password file is opened. Vendors known to distribute vulnerable versions of xlockmore as either part of the base operating system or as third-party downloadable solutions include: FreeBSD, NetBSD, OpenBSD, Debian GNU/Linux, TurboLinux, SCO OpenServer and UnixWare. ______________________________________________________________________ o Vulnerability Overview The xlock program locks an X server until a valid password is entered. The command line option -mode provides a user with a mechanism to change the default display shown when the X server is locked. xlock is installed with privileges to obtain password information, although these are dropped as quickly as possible. An overflow in the -mode command line option allows a malicious attacker to reveal arbitrary portions of xlock's address space including the shadow password file. ______________________________________________________________________ o Technical Information The buffer overflow in xlock is not a traditional overflow since all privileges have been dropped. The global variables overflowed are in the initialized data section (.data) of memory and shellcode is not used for exploitation. Upon initialization, xlock reads the shadow password file to obtain the current users password hash then immediately relinquishes privileges. The password hashes, including those not belonging to the user running xlock, are stored in memory and continue to be accessible by xlock. When the -mode command line option is specified, a strcpy() occurs in the function checkResources(). The argument to -mode is copied into a small buffer allocated on the initialized data section (.data) called old_default_mode. If an arbitrarily large command line argument is specified, numerous global variables in the initialized data section will be overrun, including: genTable, modeTable, cmdlineTable, earlyCmdlineTable, and opDesc. When an unknown -mode type is specified, as will occur when a large command line option is provided, the program aborts using a function called Syntax() defined in resources.c. The purpose of the Syntax() function is to provide information regarding any "bad command line options" and then print a complete list of the correct options. The Syntax() function utilizes the global variable opDesc which can can be overwritten via the command line argument to -mode. The opDesc buffer is allocated as an array of OptionStruct structures, each containing two character pointers as defined in mode.h. The first pointer provides the name of a command line option and the second a description of the option. The Syntax() function walks the array of OptionStruct structures in opDesc printing both the name and description of the command line options. Overwriting the opDesc buffer with addresses pointing to the shadow password file stored in memory results in the Syntax() function printing the shadow password file instead of the command line options. ______________________________________________________________________ o Resolution An official xlockmore patch is available at: ftp://ftp.tux.org/pub/tux/bagleyd/xlockmore/index.html either xlockmore-4.16.1.tar.gz or xlockmore-4.16-4.16.1.diff.gz. Vendor Information: FreeBSD The vulnerable xlockmore is distributed as part of the FreeBSD port collection in versions prior to and including 4.0. A new version of xlockmore can be obtained by downloading a new port skeleton from: http://www.freebsd.org/ports/ NetBSD The vulnerable xlockmore is distributed as part of the NetBSD packages collection in versions prior to and including 1.4.2. Information regarding the package collection is available from: http://www.netbsd.org/Documentation/software/packages.html and further information for upgrading the xlockmore package can be obtained from: ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.h ml OpenBSD The vulnerable xlockmore is distributed as part of the OpenBSD port collection in versions prior to and including 2.6. OpenBSD 2.7 will ship with the issue resolved. An OpenBSD 2.6 patch is available from: http://www.openbsd.org/errata26.html#xlockmore OpenBSD has adopted a password scheme which utilizes a 128 bit salted, 2^8 round blowfish hash specifically designed such that it cannot be optimized. Further information regarding the password scheme and the limitations of cracking OpenBSD passwords is available from: http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3 http://www.openbsd.org/events.html#usenix99 Debian GNU/Linux The vulnerable xlockmore problem was distributed with Debian 2.1 although Debian 2.2 and above are not exploitable since they use PAM. Debian updates are available from: Source archives: http://security.debian.org/dists/stable/updates/source/xlockmore_4.12- .1.diff.gz http://security.debian.org/dists/stable/updates/source/xlockmore_4.12- .1.dsc Alpha architecture: http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore gl_4.12-4.1_alpha.deb http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore 4.12-4.1_alpha.deb Intel ia32 architecture: http://security.debian.org/dists/stable/updates/binary-i386/xlockmore- l_4.12-4.1_i386.deb http://security.debian.org/dists/stable/updates/binary-i386/xlockmore_ .12-4.1_i386.deb Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore- l_4.12-4.1_m68k.deb http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore_ .12-4.1_m68k.deb Sun Sparc architecture: http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore gl_4.12-4.1_sparc.deb http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore 4.12-4.1_sparc.deb TurboLinux TurboLinux currently does not utilize shadowed password files, although updates for the xlockmore package and srpm are available from: ftp://ftp.turbolinux.com/pub/updates/6.0/security/xlockmore-4.16.1-1.i 86.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xlockmore-4.16.1-1.src. pm For additional security updates, TurboLinux advisories, and security alert mailing list information, please visit http://www.turbolinux.com/security/index.html SCO OpenServer and UnixWare Xlockmore is available as part of SCO Skunkware. A new version of xlockmore that addresses this security vulnerability is available from: http://www.sco.com/skunkware ______________________________________________________________________ o Credits This vulnerability was discovered by Brock Tellier with additional research by Anthony Osborne at the COVERT Labs of PGP Security, Inc. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.nai.com/covert or send e-mail to covert@nai.com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates iQA/AwUBOTLzl6F4LLqP1YESEQICZQCeKXnT5+U7ClfwWNAPl7XBvkhuQ6MAoPjl YYp6A1xsjCIpnlFJVWPzKcBl =Aj7k -----END PGP SIGNATURE-----