X.Org security advisory: multiple vulnerabilities in the X server

Matthieu Herrb matthieu.herrb at laas.fr
Thu Jan 17 06:05:34 PST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, January 17th, 2008
Multiple vulnerabilities in the X server
CVE IDs: CVE-2007-5760, CVE-2007-5958, CVE-2007-6427, CVE-2007-6428,
         CVE-2007-6429, CVE-2008-0006

Overview

Several vulnerabilities have been identified in server code of the X
window system caused by lack of proper input validation on user
controlled data in various parts of the software, causing various
kinds of overflows.


Impact

Exploiting these overflows will crash the X server or,
under certain circumstances allow the execution of arbitray machine code.

When the X server is running with root privileges (which is the case
for the Xorg server and for most kdrive based servers), these
vulnerabilities can thus also be used to raise privileges.

All these vulnerabilities, to be exploited succesfully, require either
an already established connection to a running X server (and normally
running X servers are only accepting authenticated connections), or a
shell access with a valid user on the machine where the vulnerable
server is installed.


Affected versions

All released X.Org versions are vulnerable to these problems. Other
implementations derived from the X11 sample implementation are likely
to be affected too.


Vulnerabilities details

 * CVE-2007-5760 - XFree86 Misc extension out of bounds array index

The vulnerability exists in the code responsible for processing
PassMessage requests. The handler for this request takes a 32-bit value
from the client's request, and uses it as an index into an array of
structures. The structure obtained contains an array of function
pointers, and one of them is dereferenced later in the request. By
supplying a large array index, an arbitrary function pointer can be
dereferenced.

 * CVE-2007-5958 - File existence disclosure

By looking at the error messages returned when supplying an arbitrary
file or directory in the "X :1 -sp <file>" command, a malicious user
can identify the existence of files and directories in access
restricted directories.  If the user receives a "error opening
security policy file <file>" the file/directory is not present on the
system.  However, if a "<file>: invalid security policy file version,
ignoring file" error message is returned, the file/directory is
present on the system.

 * CVE-2007-6427 - Xinput extension memory corruption

The vulnerable code exists in multiple functions in the XInput
extension, and occurs when swapping the byte order of client requests.
By claiming to be sending integer data in the opposite byte order of
the server, the client can cause the server to swap the byte order of a
request. The number of bytes swapped can be controlled by the client,
and is not properly validated by the server. This results in the
corruption of heap memory located after the client's request data.

 * CVE-2007-6428 - TOG-cup extension memory corruption

The vulnerable code exists within the ProcGetReservedColormapEntries()
function in the TOG-CUP extension. A 32-bit client supplied value is
taken directly from the request, and then used as an index into an
array. The value located at this index is then stored into a buffer
which is later sent to the client. This allows a client to read memory
from arbitrary locations in server memory.

 * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows

The MIT-SHM extension vulnerability exists in the code responsible
for creating a pixmap in shared memory. When allocating the pixmap,
the server uses values from the request to verify that the requested
size is not greater than the allocated shared memory. The calculation
can overflow, which leads to the overwriting of arbitrary addresses in
memory that aren't part of the shared memory segment.

The EVI extension vulnerability exists in the code responsible for
processing the GetVisualInfo request. When processing this request,
the server uses a 32-bit value provided by the client in an arithmetic
operation that calculates the number of bytes to allocate for a
dynamic buffer. This operation can overflow, which later leads to the
buffer being overflowed.

 * CVE-2008-0006 - PCF Font parser buffer overflow

There is a buffer overrun vulnerability in the X server process, which
may crash the X server or arbitrary code may be executed with the X
server privileges.

This issue can be exploited using a crafted PCF font, where the
difference between "last col" and "first col" of PCF_BDF_ENCODINGS
table, is more than 255.  When the server opens this font, the buffer
overrun occurs.

This vulnerability is also referenced as CERT VU#203220.


Workarounds

For the Xorg server, CVE-2007-5760, CVE-2007-6428 and CVE-2007-6429
can be avoided by disabling the corresponding extensions (at the cost
of losing the functionalities offered by these extensions) in the
/etc/X11/xorg.conf configuration file:

Section "Module"
        SubSection "extmod"
                Option "omit Extended-Visual-Information"
                Option "omit MIT-SHM"
                Option "omit TOG-CUP"
                Option "omit XFree86-Misc"
        EndSubSection
EndSection

If the X server is not installed setuid, CVE-2007-5958 has no
impact.

There is no simple workaround for CVE-2007-6427 and CVE-2008-0006
since they appear in code that cannot be disabled in the X server.


Fixes

A fix for these vulnerabilities will be included in Xorg xserver
1.4.1. Patch for xserver 1.2 and 1.4 (which should also apply without too
much trouble to previous versions is available:

ftp://ftp.freedesktop.org/pub/xorg/X11R7.2/patches/xorg-xserver-1.2-multiple-overflows.diff

MD5: 238affb8697e6f095dbb6fe66ceb7873
xorg-xserver-1.2-multiple-overflows.diff
SHA1: 6df37147742fcdf429cc980f1a528f1c888efdcb
xorg-xserver-1.2-multiple-overflows.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows.diff

MD5: 7aadd3ead8c3bd098413fef91af7d35f
xorg-xserver-1.4-multiple-overflows.diff
SHA1: b3c9013aa6abc30fabd8f6a85e427f5fd6e6ef6c
xorg-xserver-1.4-multiple-overflows.diff

For CVE-2008-0006 the following patch for libXfont is also needed:

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-libXfont-1.3.1-pcf-parser.diff

MD5: f6ea1bae4c5fb279e679fece589eaab6 xorg-libXfont-1.3.1-pcf-parser.diff
SHA1: 1d7a07ddb2efa8b56b51c7fad58b7e8e17c6421c
xorg-libXfont-1.3.1-pcf-parser.diff


Credits

Vulnerabilities described by CVE-2007-5760, CVE-2007-6427,
CVE-2007-6428 and CVE-2007-6429 were reported to iDefense Labs by
regenrecht.

CVE-2008-0006 was reported by to CERT/CC by Takuya Shiozaki,
tshiozak at bsdclub.org member of CodeBlog (http://www.codeblog.org/)

The reporter of CVE-2007-5859 wishes to remain anonymous.
- --
Matthieu Herrb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQCVAwUBR49grnKGCS6JWssnAQI/UQP+NJUCbvvof55Z5WP+zB0giIffUW8tHrSK
cgqjF0gePyGnUiLoz8WTg3M6rbZH0/2mgsEvg8ldJZyaWDk6QakWhSzdqoS3MY9F
zo1pbX3XUplCKnjaWO+NPGJsfKEz4zRGxLdabBQ7CoYFuogl41Cjgi/j7NhBo4fw
i6uToK+7HHM=
=rTV5
-----END PGP SIGNATURE-----

More information about the xorg-announce mailing list