xorl %eax, %eax

CVE-2011-0465: X.Org xrdb Hostname Remote Command Injection

leave a comment »

A user able to connect on a system using XDMCP or change the hostname (for example using DHCP as Secunia’s advisory suggested), can execute arbitrary commands on the system with the privieleges of the user running the X server (in most cases root).

So, this vulnerability was reported by Sebastian Krahmer (aka stealth) from the SUSE security team. The buggy code is part of the xrdb utility. Since this is a single C source code file (xrdb.c) we can easily locate the bug in the following code…

static void
addstring(String *arg, const char *s)
{
    if(arg->used + strlen(s) + 1 >= arg->room) {
	if(arg->val)
	    arg->val = (char *)realloc(arg->val, arg->room + CHUNK_SIZE);
	else
	    arg->val = (char *)malloc(arg->room + CHUNK_SIZE);	    
	if(arg->val == NULL)
	    fatal("%s: Not enough memory\n", ProgramName);
	arg->room += CHUNK_SIZE;
    }
    if(arg->used)
	strcat(arg->val, s);
    else
	strcpy(arg->val, s);
    arg->used += strlen(s);
}   

This is the function used to parse the command arguments. As you can clearly see, there is no sanitization against special shell escape characters that an attacker could use to inject arbitrary shell commands.
In order to fix this, two new C functions were added to check for the special characters that could be used for shell command injection.

static void
addescapedstring(String *arg, const char *s)
{
    char copy[512], *c;

    for (c = copy; *s && c < &copy[sizeof(copy)-1]; s++) {
	switch (*s) {
	case '"':       case '\'':      case '`':
	case '$':       case '\\':
	    *c++ = '_';
	    break;
	default:
	    *c++ = *s;
	}
    }
    *c = 0;
    addstring (arg, copy);
}

static void
addtokstring(String *arg, const char *s)
{
    char copy[512], *c;

    for (c = copy; *s && c < &copy[sizeof(copy)-1]; s++) {
	if (!isalpha(*s) && !isdigit(*s) && *s != '_')
	    *c++ = '_';
	else
	    *c++ = *s;
    }
    *c = 0;
    addstring (arg, copy);
}

So, the calls to addstring() were changed with addescapedstring() shown above. You can review the complete patch here.

Written by xorl

May 9, 2011 at 20:10

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s