Attachment 12942 Details for Bug 13522 – Draft advisory

Draft advisory

pub_Multiple Vendor X Server XInput Extension Memory Corruption Vulnerability.txt (text/plain), 4.39 KB, created by Matthieu Herrb on 2007-12-04 12:59:11 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Matthieu Herrb

Created: 2007-12-04 12:59:11 UTC

Size: 4.39 KB

patch

obsolete

>iDefense Security Advisory XX.XX.XX
>http://labs.idefense.com/intelligence/vulnerabilities/
>MMM DD, YYYY
>
>I. BACKGROUND
>
>The X Window System (or X11) is a graphical windowing system used on
>Unix-like systems. It is based on a client/server model. More
>information about about The X Window system is available at the
>following URL.
>
>http://en.wikipedia.org/wiki/X_Window_System
>
>II. DESCRIPTION
>
>Local exploitation of a memory corruption vulnerability in the X.Org X
>server, as included in various vendors' operating system distributions,
>could allow an attacker to execute arbitrary code with the privileges of
>the X server, typically root.
>
>
>The vulnerable code exists within multiple functions in the XInput
>extension, and occurs when swapping the byte order of client requests.
>By claiming to be sending integer data in the opposite byte order of
>the server, the client can cause the server to swap the byte order of a
>request. The number of bytes swapped can be controlled by the client,
>and is not properly validated by the server. This results in the
>corruption of heap memory located after the client's request data.
>
>The vulnerable code is shown below:
>
>From Xi/chgkmap.c:SProcXChangeDeviceKeyMapping()
>
>87  REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
>
>88  p = (long *)&stuff[1];
>
>89  count = stuff->keyCodes * stuff->keySymsPerKeyCode;
>
>90  for (i = 0; i < count; i++) {
>
>91   swapl(p, n);
>
>92   p++;
>
>93  }
>
>On line 89, the count value is calculated by multiplying two values
>taken directly from the client request. The for loop then proceeds to
>swap the byte order of the request data, and eventually of other heap
>memory as well.
>
>Duplicate vulnerabilities are also found in the following functions:
>
>Xi/chgprop.c, SProcXChangeDeviceDontPropagateList()
>
>Xi/grabdev.c, SProcXGrabDevice()
>
>Xi/grabdevb.c, SProcXGrabDeviceButton()
>
>Xi/grabdevk.c, SProcXGrabDeviceKey()
>
>Xi/selectev.c, SProcXSelectExtensionEvent()
>
>Xi/sendexev.c, SProcXSendExtensionEvent()
>
>III. ANALYSIS
>
>Exploitation allows an attacker to execute arbitrary code with root
>privileges. In order to exploit this vulnerability, an attacker must be
>able to send commands to an affected X server. This typically requires
>access to the console or access to the same account as a user who is on
>the console. One method of gaining the required access is to remotely
>exploit a vulnerability in, for example, a graphical web browser. This
>would then allow an attacker to exploit this vulnerability and elevate
>their privileges to root.
>
>If an X Server is configured to listen for TCP based client connections,
>and a client is granted access to create sessions (via the xhosts file),
>then the vulnerability can be exploited remotely.
>
>IV. DETECTION
>
>iDefense has confirmed the existence of this vulnerability in X.org X11
>version R7.3. Previous versions may also be affected.
>
>V. WORKAROUND
>
>iDefense is currently unaware of any workarounds for this issue. The
>XInput extension is normally compiled into the X Server; as such, it's
>not possible to disable it from being loaded in the configuration file.
>
>VI. VENDOR RESPONSE
>
>iDefense is currently working with the vendor to address this issue.
>Since there is no vendor fix at this time, please handle this
>information with sensitivity.
>
>VII. CVE INFORMATION
>
>A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
>been assigned yet.
>
>VIII. DISCLOSURE TIMELINE
>
>XX/XX/XXXX  Initial vendor notification
>
>IX. CREDIT
>
>This vulnerability was reported to iDefense by regenrecht.
>
>Get paid for vulnerability research
>http://labs.idefense.com/methodology/vulnerability/vcp.php
>
>Free tools, research and upcoming events
>http://labs.idefense.com/
>
>X. LEGAL NOTICES
>
>Copyright © 2007 iDefense, Inc.
>
>Permission is granted for the redistribution of this alert
>electronically. It may not be edited in any way without the express
>written consent of iDefense. If you wish to reprint the whole or any
>part of this alert in any other medium other than electronically,
>please e-mail customerservice@idefense.com for permission.
>
>Disclaimer: The information in the advisory is believed to be accurate
>at the time of publishing based on currently available information. Use
>of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
>author nor the publisher accepts any liability for any direct,
>indirect, or consequential loss or damage arising from use of, or
>reliance on, this information.

Actions: View

Attachments on bug 13522: 12942 | 13025 | 13095 | 13246

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.