Back in June when I was fooling around with some
programs I was writing, I found a serious buffer overflow in
WindowMaker 0.60.0 and 0.52, but I assume previous versions
are vulnerable as well. By replacing argv[0] of a program
with a string longer than 249 characters, it is possible to
overflow one of the programs buffers, causing it, and
possibly X as well to crash. It is assumed this can be
exploited remotely if you run an insecure X server. By
default some distributions of Linux like RedHat come with X
configured to allow everyone in the outside world access to
your X-server. Anyway here is the guilty section of code,
from wdefualts.c:
...
char buffer[256];
...
...
if (class && instance)
key1 =
PLMakeString(strcat(strcat(strcpy(buffer,instance),"."),clas
s));
else
The problem is obvious. But it gets worse. That line of code
occurs more than once in WindowMaker, and besides that there
are several other overflows possible by using long program
names. To see if your vulnerable, fire up WindowMaker and in
an xterm window or whatever try:
doexec xbill `perl -e'print "A" x 250;'`
That will replace argv[0] with 250 A's. Doexec is a program
that comes installed by default on RedHat systems, all it
does is relace argv[x] values, I used it because it's the
easiest way to illustrate the problem. Unfortunately the
problem gets even more complicated. While I tried to figure
out a fix for the problem, I started getting crashes from
LibPropList. Apparently that too is full of bad programming
as well. Because PLMakeString() overflows when it recieves
large strings, over 256 characters in length I think. I
discovered this over 2 months ago so I may have left
something out. WindowMaker 0.60.0 has some sort of thing
going that catches crashes but it may still be exploitable,
you'll have to try it to see what I mean. Version 0.52 is
definately exploitable. If you wanna get more details just
start windowmaker from gdb and watch it go bye-bye.
-Stan Bubrouski
[EMAIL PROTECTED]