Back in June when I was fooling around with some programs I was writing, I
found a serious buffer overflow in WindowMaker 0.60.0 and 0.52, but I assume
previous versions are vulnerable as well. By replacing argv[0] of a program
with a string longer than 249 characters, it is possible to overflow one of
the programs buffers, causing it, and possibly X as well to crash. It is
assumed this can be exploited remotely if you run an insecure X server. By
default some distributions of Linux like RedHat come with X configured to
allow everyone in the outside world access to your X-server. Anyway here is
the guilty section of code, from wdefualts.c:
...
char buffer[256];
...
...
if (class && instance)
key1 =
PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),class));
else
The problem is obvious. But it gets worse. That line of code occurs more than
once in WindowMaker, and besides that there are several other overflows
possible by using long program names. To see if your vulnerable, fire up
WindowMaker and in an xterm window or whatever try:
doexec xbill `perl -e'print "A" x 250;'`
That will replace argv[0] with 250 A's. Doexec is a program that comes
installed by default on RedHat systems, all it does is relace argv[x] values,
I used it because it's the easiest way to illustrate the problem.
Unfortunately the problem gets even more complicated. While I tried to figure
out a fix for the problem, I started getting crashes from LibPropList.
Apparently that too is full of bad programming as well. Because
PLMakeString() overflows when it recieves large strings, over 256 characters
in length I think. I discovered this over 2 months ago so I may have left
something out. WindowMaker 0.60.0 has some sort of thing going that catches
crashes but it may still be exploitable, you'll have to try it to see what I
mean. Version 0.52 is definately exploitable. If you wanna get more details
just start windowmaker from gdb and watch it go bye-bye.
-Stan Bubrouski
root@mailandnews.com
------------------------------------------------------------
Stan Bubrouski
root@mailandnews.com
------------------------------------------------------------
Hi!
Can someone tell me where on the web I could find a list of
md5sums for all RedHat binaries in their different distributions
and the files in updates?
My current sources fail me and I haven't found a trustworthy source.
++ J
From mail@mail.redhat.com Oct 20:50:59 1999 -0400
Received: (qmail 23113 invoked from network); 13 Oct 1999 00:51:00 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 13 Oct 1999 00:51:00 -0000
Received: from alien.devel.redhat.com (root@alien.devel.redhat.com
[207.175.42.9])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id UAA19688;
Tue, 12 Oct 1999 20:50:59 -0400
Received: from localhost (IDENT:gafton@localhost [127.0.0.1])
by alien.devel.redhat.com (8.9.3/8.9.3) with ESMTP id UAA30774;
Tue, 12 Oct 1999 20:50:57 -0400
Date: Tue, 12 Oct 1999 20:50:45 -0400 (EDT)
From: Cristian Gafton <gafton@redhat.com>
X-Sender: gafton@alien.devel.redhat.com
To: redhat-watch-list@redhat.com
Subject: SECURITY: RHSA-1999:040 New PAM packages available
Message-ID:
<Pine.LNX.4.10.9910122039470.26594-100000@alien.devel.redhat.com>
Approved: ewt@redhat.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: New PAM packages available
Advisory ID: RHSA-1999:040
Issue date: 10/13/1999
Updated on: 10/13/1999
Keywords: pam security login NIS server
Cross references: N/A
- ---------------------------------------------------------------------
1. Topic:
Under some network configurations PAM (Pluggable Authentication Modules)
will fail to lock access to disabled NIS accounts.
2. Problem description:
The PAM packages shipped with Red Hat Linux 6.1/Intel may allow access to
locked NIS accounts on certain network configurations. If you have a Red Hat
Linux 6.1 workstation performing authentication against a NIS server then
you are at risk. Red Hat recommends that you upgrade the PAM packages on
all Red Hat Linux 6.1 workstations to the versions announced in this
advisory.
Previous versions of Red Hat Linux are not affected by this problem.
3. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info):
4. Relevant releases/architectures:
Red Hat Linux 6.1 for i386
5. Obsoleted by:
N/A
6. Conflicts with:
N/A
7. RPMs required:
ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm
ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
9. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
9fd42c57d02ac039093b6f94132eee0e SRPMS/pam-0.68-8.src.rpm
e8d5b9edf5dc9998ee19d91b7620f2ad i386/pam-0.68-8.i386.rpm
These packages are GPG signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
10. References:
Cristian
- --
- ----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"How could this be a problem in a country where we have Intel and
Microsoft?" --Al Gore on Y2K
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOAPXb/GvxKXU9NkBAQGv+QP+KUMru9D+9dS8wNNGG2wvShnO8aYOD31y
dgZtf7qANqP69KNARrhu2hhKZJVPXYv9bVJzfHzOz/dRGJNI1Atvz1yPdcPEVKWS
ppb/+nx4IJYS0QadT3TdmpBwyKxnlrXMAaxXOf9CtC4H796GJuZNT/K74bJPhmz2
iDvlAltD2BE=L+g2
-----END PGP SIGNATURE-----