| Title: | SGI IRIX xlock Buffer Overrun Vulnerability |
| Date Issued: | May 29, 1997 |
| Last Modified: | August 1, 1997 |
| Code: | AA-97.24 |
| Source: | AusCERT |
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.24 AUSCERT Advisory
SGI IRIX xlock Buffer Overrun Vulnerability
29 May 1997
Last Revised: -- 01 August 1997
Added SGI Security Advisory in Appendix A.
Changed Section 3 to include vendor patch information.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in xlock(1),
distributed under IRIX 6.2. Other versions of IRIX may also be vulnerable.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
xlock(1) is a program that locks the local X display until a password
is entered.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
xlock program while it is executing. By supplying a carefully designed
argument to the xlock program, intruders may be able to force xlock
to execute arbitrary commands. As xlock is setuid root, this may
allow intruders to run arbitrary commands with root privileges.
Sites can determine if this program is installed by using:
% ls -l /usr/bin/X11/xlock
xlock is installed by default in /usr/bin/X11. Sites are encouraged
to check for the presence of this program regardless of the version
of IRIX installed.
Exploit information involving this vulnerability has been made publicly
available.
2. Impact
This vulnerability may allow local users to gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Silicon Graphics which
address this vulnerability (Section 3.3).
If the patches recommended by Silicon Graphics cannot be applied,
AUSCERT recommends that sites prevent the exploitation of this
vulnerability by immediately applying the workaround given in Section
3.1. To maintain the functionality of xlock, AUSCERT recommends
applying the workaround given in Section 3.2.
3.1 Remove setuid and non-root execute permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from the xlock program immediately. As xlock will no longer work for
non-root users, it is recommended that the execute permissions for
them also be removed.
# ls -l /usr/bin/X11/xlock
-rwsr-xr-x 1 root sys 95188 Nov 28 1996 /usr/bin/X11/xlock
# chmod 500 /usr/bin/X11/xlock
# ls -l /usr/bin/X11/xlock
-r-x------ 1 root sys 95188 Nov 28 1996 /usr/bin/X11/xlock
3.2 Install wrapper
AUSCERT has developed a wrapper to help prevent programs from being
exploited using the vulnerability described in this advisory. Sites
which have a C compiler can obtain the source, compile and install
the wrapper. Please contact AUSCERT directly if pre-compiled wrapper
binaries are required.
The source for the wrapper, including installation instructions, can
be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
overflow_wrapper.c
This wrapper replaces the xlock program and checks the length of the
command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without