This is to announce that XMCD 2.1 patchlevel 0 has been released which fixes all of the issues previously raised by David Meltzer. It also contains a number of other minor feature and functionality enhancements. The new version may be obtained via the xmcd web page at: http://sunsite.unc.edu/~cddb/xmcd/ Users of xmcd with older versions are encouraged to upgrade. -Ti -- \\ // XMCD - Motif CD player / CDA - Command line CD player \\/ Ti Kan / AMB Research Laboratories //\ E-mail: xmcd@amb.org // \\ URL: http://sunsite.unc.edu/~cddb/xmcd/ David J. Meltzer <davem@iss.net> wrote:> There are security holes in XMCD 2.0pl2 (and presumably all previous > versions), a popular audio cd player for numerous unix platforms, which > allow a user defined environment variable to overflow a fixed size buffer > resulting in a complete compromise of system security on machines with XMCD > installed suid root. > [ ... description deleted ]
> This is to announce that XMCD 2.1 patchlevel 0 has been released > which fixes all of the issues previously raised by David Meltzer. > It also contains a number of other minor feature and functionality > enhancements.I have obtained the 2.1 release of XMCD and through a cursory examination of the code have uncovered another buffer overflow problem that appear to be exploitable to gain root access on the system. I have not verified that the hole is exploitable, although it definitely exists. As I stated before, if you remove the suid bit from xmcd, then you do not have to worry about upgrading other than for the new features that have been added, whether you can still function xmcd without the suid bit varies depending on your system. I have a limited amount of time I can spend in examining source code, and I apologize I am unable to find every potential hole in programs I examine. I can provide no assurance that there are not additional security holes in xmcd due to the limited nature of my examination of the code; to provide some level of assurance would take a far more detailed examination that I simply can not devote the time to achieve for a non-critical piece of code such as xmcd. The offending line of code is in cdfunc.c in the cd_init() function: sprintf(titlestr, "%s %d", app_data.main_title, app_data.devnum); The titlestr is defined to be char titlestr[STR_BUF_SZ]. The string app_data.main_title is read from the XMcd resource file which will be read from a user''s home directory. A user can then modify the XMcd*mainWindowTitle resource to an arbitrary length string. Questions regarding XMCD should be sent to the maintainer at xmcd@amb.org. Questions to CERT regarding this problem should be sent to cert@cert.org referencing INFO#96.25542. Program: xmcd 2.1 (and previous versions) Affected Operating Systems: All with xmcd installed suid root Requirements: account on system Patch: chmod -s xmcd Security Compromise: root Reported By: David J. Meltzer (davem@iss.net) Synopsis: A buffer overflow in the XMcd*mainWindowTitle resource allows a user to overwrite the contents of the stack and execute arbitrary code as root. <Tue | 12:53> [sn0p:davem] ~ >which xmcd /usr/X11/bin/xmcd <Tue | 12:53> [sn0p:davem] ~ >ls -l /usr/X11/bin/xmcd -rws--x--x 1 root bin 1048484 Nov 26 12:21 /usr/X11/bin/xmcd <Tue | 12:53> [sn0p:davem] ~ >echo ''XMcd*mainWindowTitle: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'' > XMcd <Tue | 12:54> [sn0p:davem] ~ >xmcd Segmentation fault <Tue | 12:54> [sn0p:davem] ~ > --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (770)395-1972
On Tue, 26 Nov 1996, David J. Meltzer wrote:> I have obtained the 2.1 release of XMCD and through a cursory > examination of the code have uncovered another buffer overflow problem > that appear to be exploitable to gain root access on the system. I have > not verified that the hole is exploitable, although it definitely exists. > As I stated before, if you remove the suid bit from xmcd, then you do not > have to worry about upgrading other than for the new features that have > been added, whether you can still function xmcd without the suid bit > varies depending on your system.On a side tangent, I grabbed the 2.1 binary (since I don''t have the motif libraries under Linux...) and installed it. It''s not setuid by default... On a side tangent, the standard rule of thumb is: "If a program doesn''t really need SUID/GID, don''t give it SUID/GID." ... Doesn''t fix the buffer overrun, but it doesn''t give the user root either... -- ----------------------------------------------------------------------------- Theo Van Dinter www: http://www.kluge.net/~felicity/ Vice-President WPI Lens and Lights Active Member in SocComm Films Member of WPI ACM AME for the Masque B-Term Show Guillotine operators get severance pay. -----------------------------------------------------------------------------