Subject: NetBSD Security Advisory 2000-003
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 05/28/2000 23:44:44
  by mail.netbsd.org with SMTP; 29 May 2000 03:56:28 -0000
	by  orchard.arlington.ma.us (8.8.8/8.8.8) with ESMTP id XAA27818;
	Sun, 28 May 2000 23:56:15 -0400 (EDT)
	by thunk.hamachi.org (8.10.1/8.8.8) with ESMTP id e4T3ijT06403;
	Sun, 28 May 2000 23:44:45 -0400 (EDT)
Message-Id: <200005290344.e4T3ijT06403@thunk.hamachi.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
To: netbsd-announce@netbsd.org
Cc: tech-security@netbsd.org, current-users@netbsd.org,
        bugtraq@securityfocus.com, cert@cert.org, auscert@auscert.org.au
Subject: NetBSD Security Advisory 2000-003
Organization: The NetBSD Foundation, Inc.
Date: Sun, 28 May 2000 23:44:44 -0400

-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-003
                 =================================

Topic:		Exploitable Vulnerability in Xlockmore
Version:	NetBSD pkgsrc prior to 11th May 2000.
Severity:	xlock can be manipulated to print the shadow password information 


Abstract
========

The advisory outlines how xlock can be manipulated to print the shadow
password information even though it drops root privileges before an
overflow occurs.

To quote from the NAI advisory:

"The xlock program locks an X server until a valid password is entered.
The command line option -mode provides a user with a mechanism to 
change the default display shown when the X server is locked. xlock 
is installed with privileges to obtain password information, although 
these are dropped as early as possible. An overflow in the -mode 
command line option allows a malicious attacker to reveal arbitrary 
portions of xlock's address space including the shadow password file."

Technical Details
=================

Again, quoting from the NAI advisory:

"The buffer overflow in xlock is not a traditional overflow since all
privileges have been dropped, the global variables overflowed are in 
the initialized data section (.data) of memory and shellcode is not
used for exploitation.

"Upon initialisation xlock reads the shadow password file to obtain the 
current users password hash then immediately relinquishes privileges.
The password hashes, including those not belonging to the user running 
xlock, are stored in memory and continue to be accessible by xlock.

"When the -mode command line option is specified a strcpy() occurs in
the function checkResources(). The argument to -mode is copied into
a small buffer allocated on the initialized data section (.data) 
called old_default_mode. If an arbitrarily large command line argument 
is specified, numerous global variables in the initialized data 
section will be overrun, including genTable, modeTable, cmdlineTable, 
earlyCmdlineTable, and opDesc.

"When an unknown -mode type is specified, as will occur when a large 
command line option is provided, the program aborts using a function
called Syntax() defined in resources.c. The purpose of the Syntax()
function is to provide information regarding any "bad command line 
options" and then print a complete list of the correct options. 

"The Syntax() function utilizes the global variable opDesc which can be
overwritten via the command line argument to -mode.  The opDesc buffer
is allocated as an array of OptionStruct structures each containing
two character pointers as defined in mode.h.  The first pointer
provides the name of a command line option and the second a
description of the option.

"The Syntax() function walks the array of OptionStruct structures in 
opDesc printing both the name and description of the command line 
options. Overwritting the opDesc buffer with addresses pointing to the 
shadow password file stored in memory results in the Syntax() function 
printing the shadow password file instead of the command line options."


Solutions and Workarounds
=========================

Versions of xlockmore up to, and including, version 4.16 are
vulnerable.  To find out the version of xlockmore installed on your
NetBSD system, you can use pkg_info(1):

	pkg_info -e xlockmore

If you have version 4.16 or lower, you should upgrade to version
4.16.1 of xlockmore, which has been part of the NetBSD packages
collection since 11th May 2000. If xlockmore is not installed on
your system, no output will be generated.

If a vulnerable version of xlockmore is installed, then you can
immediately remove the vulnerability by deleting the package -
as root, type

	pkg_delete -v xlockmore

To upgrade to version 4.16.1 of xlockmore, first make sure that you
have a version of the pkgsrc hierarchy from 11th May 2000 or later. 
(See http://www.netbsd.org/Sites/net.html for ways to obtain NetBSD,
and pkgsrc, its packages collection.)

You can then install the new version of the package:

	cd pkgsrc/x11/xlockmore; make clean; make install

There are also precompiled binary packages of xlockmore-4.16.1 for
some NetBSD ports available from:

ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.html

Thanks To
=========

Jim Magdych <Jim_Magdych@NAI.com> Security Research Manager, Network
Associates, Inc, for finding the vulnerability and alerting us, and
David A.  Bagley <bagleyd@bigfoot.com>, the xlock maintainer, who has
provided an offical patch.



Revision History
================

	2000/05/16	original draft.
	2000/05/27	polish for release.


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-003.txt,v 1.3 2000/05/28 02:20:45 sommerfeld Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCUAwUBOTG4Fj5Ru2/4N2IFAQF+3wP44VobthmufU0MYidm/AxL880DOIOfJJC5
Grn/fSwY9gAyrP24SlXNNDmvRinMFexlJR2ZopRyuX+0MFxBKquHdXdaD7qwGRpP
H8HAydMb5bV5+AZGX+achDWPWI9ikYZNM8h7NcujN9gCcmE7M371ordLSj7/em1b
U2Pnr8X+Qw==
=2QWU
-----END PGP SIGNATURE-----