X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability
| Filename: | RISE-2006001.txt (b5d5a13fa6f905fc4cfbc2d8db31b59f) |
| RISE ID: | RISE-2006001 |
| CVE Name: | CVE-2006-4655 |
| Bugtraq ID: | 19905 |
| Published: | Sep 07, 2006 21:26 |
| Updated: | Sep 07, 2006 21:26 |
Introduction
There exists a vulnerability within a string manipulation function of the X11R6 (X11R6.4 and lower) X Window System library, which when properly exploited can lead to local compromise of the vulnerable system.
This vulnerability was silently fixed in X11R6.5.1 release, but it is still present in multiple vendors operating systems source tree.
This vulnerability was confirmed by us in the following versions and operating systems, other versions and operating systems may be also affected.
- Sun Solaris 10 SPARC/x86
- Sun Solaris 9 SPARC/x86
- Sun Solaris 8 SPARC/x86
- SCO UnixWare 7.1.3
Details
This vulnerability can be triggered by invoking a dynamicaly linked binary, with _XKB_CHARSET environment variable set to a long string value, and DISPLAY environment variable set to a X Window System server with the XKEYBOARD
extension enabled.
This is the vulnerable function (from X11R6.4).
static int
#if NeedFunctionPrototypes
Strcmp(char *str1, char *str2)
#else
Strcmp(str1, str2)
char *str1, *str2;
#endif
{
char str[256];
char c, *s;
for (s = str; c = *str1++; ) {
if (isupper(c))
c = tolower(c);
*s++ = c;
}
*s = '\0';
return (strcmp(str, str2));
}
The proof of concept codes we have written for this vulnerability can be found in appendix section of this document.
All source codes from this document can be also downloaded from our website. http://www.risesecurity.org/
Vendor
Sun has released patches for this vulnerability, the Sun Alert ID is 102570 and it is available at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1
SCO did not answer to our email.
Credits
This vulnerability was discovered by Adriano Lima <adriano@risesecurity.org> and Filipe Balestra <filipe_balestra@hotmail.com>.
Disclaimer
The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected.