Re: libX11 overflow continued....

David Hedley (hedley@CS.BRIS.AC.UK)
Fri, 30 May 1997 15:14:19 +0100

>>>>> "LG" == Lamont Granquist <lamontg@hitl.washington.edu> writes:
[snip]
LG> Of course this probably just moves the buffer overflow into xrdb
LG> -merge, (correct, David?)

Correct. It is still possible to upload exploit code to the X server via
xrdb -merge as you suggest. When xterm grabs its resources off the X
server it parses them in the same way and hence is still vulnerable. I
can't see how any wrapper can prevent this.

e.g. try the following:

$ a='gerbil'
$ for b in 1 2 3 4 5 6 7 8 9 10; do a=$a$a; done
$ echo XTerm.$a: x > /tmp/test
$ xrdb -merge /tmp/test
$ xterm

xterm should then segmentation fault/core dump. There are probably a few
restrictions on what ASCII values can be in the exploit code, but
initial impressions suggest it would still be very easy to write an
exploit that didn't use them....YMMV.

David

--
 David Hedley (hedley@cs.bris.ac.uk)
 finger hedley@cs.bris.ac.uk for PGP key
 Computer Graphics Group | University of Bristol | UK