iDefense Security Advisory XX.XX.XX
http://labs.idefense.com/intelligence/vulnerabilities/
MMM DD, YYYY

I. BACKGROUND

The X Window System (or X11) is a graphical windowing system used on
Unix-like systems. It is based on a client/server model. More
information about about The X Window system is available at the
following URL.

http://en.wikipedia.org/wiki/X_Window_System

II. DESCRIPTION

Local exploitation of an information disclosure vulnerability in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to gain access to sensitive
information stored in server memory.

The vulnerable code exists within the ProcGetReservedColormapEntries()
function in the TOG-CUP extension. A 32-bit client supplied value is
taken directly from the request, and then used as an index into an
array. The value located at this index is then stored into a buffer
which is later sent to the client. This allows a client to read memory
from arbitrary locations in server memory.

The vulnerable code is shown below:

From Xext/cup.c:ProcGetReservedColormapEntries()

200  citems[CUP_BLACK_PIXEL].pixel =

201   screenInfo.screens[stuff->screen]->blackPixel;

202  citems[CUP_WHITE_PIXEL].pixel =

203   screenInfo.screens[stuff->screen]->whitePixel;

...

214  for (n = 0, cptr = citems; n < NUM_DESKTOP_COLORS; n++, cptr++) {

215   if (client->swapped) SwapColorItem (cptr);

216   WriteToClient (client, SIZEOF(xColorItem), (char *)cptr);

217  }

On lines 201 and 203, the stuff->screen value (taken from the client),
is used as an array index in the screenInfo.screens array. The value
read is then stored into the citems array. In the for loop below, the
citems array is sent to the client.

III. ANALYSIS

Exploitation allows an attacker to read arbitrary memory within the X
Server's address space. By itself, the impact of this vulnerability is
minimal. However, when coupled with a code execution vulnerability,
this vulnerability can be used to greatly increase the reliability of
an exploit. Additionally, this vulnerability can be used to crash the
server. If the server automatically restarts, this can be useful since
it resets the state of the server to a known state.

If an X Server is configured to listen for TCP based client connections,
and a client is granted access to create sessions (via the xhosts file),
then the vulnerability can be exploited remotely.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in X.org X11
version R7.3. Previous versions may also be affected.

V. WORKAROUND

If the TOG-CUP extension has not been built-in to the server, then it
can be prevented from loading by inserting the following into the X
configuration file (usually in /etc/X11/xorg.conf):

Section "Module"

        SubSection "extmod"

                Option "omit TOG-CUP"

        EndSubSection

EndSection

To check if the extension is built-in to the server, grep the output of
the X Server log file:

grep built-in /var/log/Xorg.0.log

The result will list all built in extensions. The location of the log
file may need to be changed.

VI. VENDOR RESPONSE

iDefense is currently working with the vendor to address this issue.
Since there is no vendor fix at this time, please handle this
information with sensitivity.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

XX/XX/XXXX  Initial vendor notification

IX. CREDIT

This vulnerability was reported to iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.