• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: xlockmore User Supplied Format String Vulnerability

Severity: MODERATE

Description:

A vulnerability exists in versions of the xlockmore program, originally written by David Bagley. It is believed to affect all versions of xlock derived from xlockmore. This includes the xlock shipped with a number of popular operating systems.

Xlock is installed setuid root. Normally, the -d option to xlock is used to set the display it will be locking. This value is normally of the format hostname:portoffset, ie. x.host.com:0, to connect to the X server runnign on x.host.com, listening on port 6000. By supplying format strings in this value, it is possible to cause xlock to output numeric values. Using other format strings, it may be possible for an attacker to overwrite values on the stack. This may make it possible to execute arbitrary code with root privileges.

While several vulnerable operating systems have been listed, this list is by no means complete.

It has been reported that this vulnerability exists only in systems with versions of xlock that use the error() call. (it is also unverified whether the bug is in libc or xlib).

Affected Products:

• David Bagley xlock 4.16.0
• David Bagley xlock 4.16.1
• Debian Linux 2.1.0
• Debian Linux 2.1.0 68k
• Debian Linux 2.1.0 alpha
• Debian Linux 2.1.0 sparc
• Debian Linux 2.2.0
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• MandrakeSoft Linux Mandrake 6.1.0
• MandrakeSoft Linux Mandrake 7.0.0
• NetBSD NetBSD 1.4.0 Alpha
• NetBSD NetBSD 1.4.0 SPARC
• NetBSD NetBSD 1.4.0 x86
• NetBSD NetBSD 1.4.1 Alpha
• NetBSD NetBSD 1.4.1 SPARC
• NetBSD NetBSD 1.4.1 x86
• NetBSD NetBSD 1.4.2 Alpha
• NetBSD NetBSD 1.4.2 SPARC
• NetBSD NetBSD 1.4.2 x86
• RedHat Linux 6.0.0
• RedHat Linux 6.0.0 alpha
• RedHat Linux 6.0.0 sparc
• RedHat Linux 6.1.0 alpha
• RedHat Linux 6.1.0 i386
• RedHat Linux 6.1.0 sparc
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• Turbolinux Turbolinux 6.0.0
• Turbolinux Turbolinux 6.0.1
• Turbolinux Turbolinux 6.0.2
• Turbolinux Turbolinux 6.0.3
• Turbolinux Turbolinux 6.0.4

References:

• FreeBSD: FreeBSD Security Information
• OpenBSD: OpenBSD Security Information

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.