Re: Xserver stack smashed -- wrapper

Scott A Crosby (crosby@QWE0.MATH.CMU.EDU)
Thu, 15 Jan 1998 02:46:36 -0500

On Wed, 14 Jan 1998, Cotfas Vladimir-Marian wrote:

[snip]

>
> Here's a wrapper for this bug and for the older XF86 security vulnerability
> (i.e. XF86_XX -config /etc/shadow)
>
> Vladimir
>
> ----------------------------cut from here-------------------------------
> /*
> Description: X server wrapper
>
> Goals:
> 1. wrap the "-config" security vulnerabillity
> 2. wrap the :000000000000...00000000000000009 potential buffer overflow
>

I would add in a check for a singular arg > some maximum length:

It would also be a good idea to clean the environment before invoking
the Xserver. (left as an excercise for the reader)

Scott Crosby

----------------------------cut from here-------------------------------

--- x1.c Thu Jan 15 02:25:26 1998
+++ x2.c Thu Jan 15 02:40:59 1998
@@ -39,6 +39,7 @@
*/
#define _DEBUG
#define SIZE 1024
+#define MAX_LEN 240

/* guaranteed filled with NULLs by UNIX */
char* args[SIZE];
@@ -75,6 +76,11 @@
syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n",
i, pass->pw_name);
i++;
+ continue;
+ }
+ if(strlen(argv[i]) >= MAX_LEN){
+ syslog(LOG_NOTICE, "too long arg at #%d user %s \n", i, pass->pw_name);
+ i++;
continue;
}
if(argsCount >= SIZE){