On Sun, Apr 16, 2000 at 06:54:41PM +0200, Michal Zalewski wrote:
> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;)
I don't know what Redhat uses for their Xwrapper, but here's the
code from vanilla XFree3.3.6 (xc/programs/Xserver/os/wrapper.c),
slightly paraphrased:
#define MAX_ARG_LENGTH 128
if (!bad && geteuid() == 0 && getuid() != geteuid()) {
for (i = 1; i < argc; i++) {
...
if (strlen(argv[i]) > MAX_ARG_LENGTH) {
bad = ArgTooLong;
break;
}
...
}
}
It appears that this vulnerability requires you to have uid 0
in order to exploit it...
Olaf
PS: The current XFree4.0 snapshot comes without Xwrapper, supposedly
because it Does Things Right[TM].
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
[EMAIL PROTECTED] | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
[EMAIL PROTECTED] +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
