Title: Solaris xlock Heap Overflow Vulnerability
Severity: MODERATE
Description:
Xlock is a utility for locking X-windows displays. It is installed setuid root because it uses the user's password to authorize access to the display when it is locked.
The version of xlock that ships with Solaris as part of OpenWindows contains a heap overflow in it's handling of an environment variable.
The overflow occurs when an internal string copy copies the value of the 'XFILESEARCHPATH' environment variable to a buffer allocated via malloc(). Because the copy is unbounded and the size of the destination buffer is smaller than 1024 bytes, memory neighboring the buffer in the heap will be overwritten if the length of the environment variable is excessive.
It may be possible for attackers to corrupt malloc chunk headers in the heap in a manner that causes the replacement of an arbitrary dword in memory with an attacker-specified value. An attacker may be able to, for example, overwrite a function return address with a pointer to shellcode when free() is called on a block of memory with a corrupted chunk header. When the target function returns, the shellcode will be executed.
Because xlock is installed setuid root, attackers who successfully exploit this vulnerability can gain complete control over the victim host.
Affected Products:
- Sun Solaris 2.6
- Sun Solaris 2.6_x86
- Sun Solaris 7.0
- Sun Solaris 7.0_x86
- Sun Solaris 8
- Sun Solaris 8_x86
References:
- Sun Microsystems: Sunsolve Online(tm)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
