Buffer Overflow Attacks: Detect, Exploit, Prevent

Case Study 2.3: X11R6 4.2 XLOCALEDIR Overflow

Overview

In the past, libraries were often largely overlooked by researchers attempting to find new security vulnerabilities. In Case Study 12.2 we will see that vulnerabilities present in libraries can negatively influence the programs that utilize those libraries. The X11R6 4.2 XLOCALEDIR overflow is a similar issue. The X11 libraries contain a vulnerable strcpy call that affects other local system applications across a variety of platforms. Any setuid binary on a system that utilizes the X11 libraries as well as the XLOCALEDIR environment variable has the potential to be exploitable.

XLOCALEDIR Vulnerability Details and Analysis

We start off with merely the knowledge that there is a bug present in the handling of the XLOCALEDIR environment variable within the current (in this case version 4.2) installation of X11R6. Often, in real world exploit development scenarios, an exploit developer will find out about a bug via a brief IRC message orrumor, a vague vendor issued advisory, or a terse CVS commit note such as "fixed integer overflow bug in copyout function". Even starting with very little information, we can reconstruct the entire scenario. First we figure out what the XLOCALEDIR environment variable actually is.

According to RELNOTES-X.org from the X11R6 4.2 distribution, XLOCALEDIR: "Defaults to the directory $ProjectRoot/lib/X11/locale. The XLOCALEDIR variable can contain multiple colon-separated pathnames." Since we are only concerned with X11 applications that run as a privileged user, in this case root, we perform a basic find request:

$ find /usr/X11R6/bin  perm -4755/usr/X11R6/bin/xlock/usr/X11R6/bin/xscreensaver/usr/X11R6/bin/xterm

Other applications besides the ones returned by...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Bug Tracking Software
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.