OpenView xlock Heap Overflow Vulnerability BugTraq ID: 3160 Remote: No Date Published: 2001-08-10 Relevant URL: http://www.securityfocus.com/bid/3160 Summary: Xlock is a utility for locking X-windows displays. It is installed setuid root because it uses the user's password to authorize access to the display when it is locked. The version of xlock that ships with Solaris as part of OpenView contains a heap overflow in it's handling of an environment variable. The overflow occurs when an internal string copy copies the value of the 'XFILESEARCHPATH' environment variable to a buffer allocated via malloc(). Because the copy is unbounded and the size of the destination buffer is smaller than 1024 bytes, memory neighboring the buffer in the heap will be overwritten if the length of the environment variable is excessive. It may be possible for attackers to corrupt malloc chunk headers in the heap in a manner that causes the replacement of an arbitrary dword in memory with an attacker-specified value. An attacker may be able to, for example, overwrite a function return address with a pointer to shellcode when free() is called on a block of memory with a corrupted chunk header. When the target function returns, the shellcode will be executed. Because xlock is installed setuid root, attackers who successfully exploit this vulnerability can gain complete control over the victim host. Apache Mod ReWrite Rules Bypassing Image Linking Vulnerability BugTraq ID: 3176 Remote: Yes Date Published: 2001-08-12 Relevant URL: http://www.securityfocus.com/bid/3176 Summary: Apache is a freely available, widely used web server distributed and maintained by the Apache Server Project. A problem has been discovered that may allow remote users to link files and images even if mod_rewrite is used. The problem is likely in the handling of file names by the the file system on most UNIX implementations. mod_rewrite rules are normally used to prevent web servers outside of the local host from linking images and files, preventing a load increase on the local host and network capacity increase. A typical mod_rewrite rule looks like the following: RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com.*$ RewriteRule ^/images/.* - [G] However, when a HTTP GET request for the //images directory is made to the server, it does not match the above rule, thus allowing a user to directly access the image. This could allow for the bypassing of mod_rewrite rules, which may lead to increased server load, increased load on local network resources, and potentially denial of service. Window Maker Window Title Buffer Overflow Vulnerability BugTraq ID: 3177 Remote: Yes Date Published: 2001-08-12 Relevant URL: http://www.securityfocus.com/bid/3177 Summary: WindowMaker is a window manager for X11 systems. It is often run on desktop systems. WindowMaker contains a buffer overflow that may be exploitable by remote attackers. The overflow conditions are present when X11 applications are setting the title of their windows. The buffer overflows are due to the use of 'sprintf'. The 'sprintf' libc function allows for the construction of a string based on format specifiers. Unfortunately there is no bounds checking done by 'sprintf'. If the length of the created string exceeds the length of the buffer allocated for it, 'sprintf' will write the excessive data to neighboring memory. There are numerous instances of 'sprintf' usage that may each be exploitable involving setting the window title. Because the application is responsible for setting the window title, this vulnerability can be exploited by malicious X11 programs. This vulnerability can be exploited by remote hosts that are allowed to connect to the Xserver. On some systems, default configurations permitting any hosts to connect to the XServer may open up the host on which Window Maker is running to remote compromise. This vulnerability can be exploited by X11 applications which can connect to the Xserver. Any arbitrary code that is executed will run with the privileges of the window manager. It will also execute on the system where it is running. - Pour poster une annonce: [EMAIL PROTECTED]
