XFree86 4.0.0 does not seem to be vulnerable to this...A look at the
sources also proves it.
Michal Zalewski wrote:
>
> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
> -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
> trivial to exploit :), you'll get beautiful overflow with root privledges
> in main (Xserver) process...
>
> listen to the gdb... Cannot access memory at address 0x41414141.
>
> This has been tested both with recent RH6.1/6.2 Xservers (3.3.5/3.3.6),
> and:
>
> XFCom_i810 Version 1.0.0 / X Window System
> (protocol Version 11, revision 0, vendor release 6300)
> Release Date: October 13 1999
>
> Btw. while testing this bug, we have noticed strange behaviour of some
> drivers. For example, in one case we get kernel oops, just like that
> (linux 2.2.14, XFree86 3.3.6 XF86_S3V):
>
> eip: 41414141 eflags: 00013296
> eax: 00000000 ebx: 00000000 ecx: 00000bb8 edx: 00000009
> esi: bfffe92c edi: 00000400 ebp: 00000000 esp: bfffe464
> Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
> 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
>
> :)
>
> _______________________________________________________
> Michal Zalewski [[EMAIL PROTECTED]] [tp.internet/security]
> [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=
