|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/
|
| |
Vulnerable Systems:
* X server 1.4 included with X.org X11R7.3
MIT-SHM Extension Information Disclosure Vulnerability
Local exploitation of an information disclosure vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to gain access to sensitive information stored in server memory.
The vulnerability exists when creating a Pixmap in the fbShmPutImage() function. The width and height of the Pixmap, which are controlled by the user, are not properly validated to ensure that the Pixmap they define are within the bounds of the shared memory segment. This allows an attacker to read arbitrary areas of memory in the X server process.
Analysis:
Exploitation allows an attacker to read arbitrary memory within the X Server's address space. By itself, the impact of this vulnerability is minimal. However, when coupled with a code execution vulnerability, this vulnerability can be used to greatly increase the reliability of an exploit. Additionally, this vulnerability can be used to crash the server. If the server automatically restarts, this can be useful since it resets the state of the server to a known state.
If an X Server is configured to listen for TCP based client connections, and a client is granted access to create sessions (via the xhosts file), then the vulnerability can be exploited remotely.
Workaround:
Access to the vulnerable code can be prevented by preventing the X server from loading the MIT-SHM extension. However, doing so may impair the functionality of the server. Adding the following lines to the X configuration file will disable the MIT-SHM extension:
Section "Extensions"
Option "MIT-SHM" "disable"
EndSection
Vendor response:
The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL.
http://lists.freedesktop.org/archives/xorg/2008-June/036026.html
CVE Information:
CVE-2008-1379
Record and Security Extensions Multiple Memory Corruption Vulnerabilities
Local exploitation of multiple memory corruption vulnerabilities in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root.
Multiple vulnerabilities are present in the Record and Security extensions. In both cases, untrusted values are taken from a client request, and used to swap the byte order of heap memory that follows the client request. Since the number of bytes to swap is not properly validated, it is possible to corrupt heap memory located after the request. The following functions contain vulnerable code:
SProcSecurityGenerateAuthorization()
SProcRecordCreateContext()
SProcRecordRegisterClients()
Analysis:
Exploitation allows an attacker to execute arbitrary code with the privileges of the X server, typically root. In order to exploit these vulnerabilities, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root.
If an X Server is configured to listen for TCP based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely.
Workaround:
Access to the vulnerable code in the SECURITY extension can be prevented by preventing the X server from loading the extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the SECURITY extension:
Section "Extensions"
Option "SECURITY" "disable"
EndSection
Vendor response:
The X.Org team has addressed these vulnerabilities by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL.
http://lists.freedesktop.org/archives/xorg/2008-June/036026.html
CVE Information:
CVE-2008-1377
Render Extension Gradient Creation Integer Overflow Vulnerability
Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root.
The vulnerability occurs when parsing a client request for one of the following functions:
SProcRenderCreateLinearGradient
SProcRenderCreateRadialGradient
SProcRenderCreateConicalGradient
In each case, values are taken from the client request and used to calculate the number of bytes to swap in the client request data. The calculations attempt to verify that the byte swap range if valid, but they are incorrect, which can lead to heap memory being corrupted.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the privileges of the X server, typically root. To exploit this vulnerability, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical Web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root.
If an X Server is configured to listen for TCP-based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely.
Workaround:
Access to the vulnerable code can be prevented by preventing the X server from loading the Render extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the Render extension:
Section "Extensions"
Option "RENDER" "disable"
EndSection
Vendor response:
The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL.
http://lists.freedesktop.org/archives/xorg/2008-June/036026.html
CVE Information:
CVE-2008-2362
Render Extension ProcRenderCreateCursor() Integer Overflow Vulnerability
Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to create a denial of service (DoS) condition on the affected X server.
The vulnerability exists within the ProcRenderCreateCursor() function. When parsing a client request, values are taken from the request and used in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which results in an undersized buffer being allocated. This leads to an invalid memory access, which crashes the X server.
Analysis:
Exploitation allows an attacker to crash the Xserver; code execution is not possible. To exploit this vulnerability, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical Web browser.
If an X Server is configured to listen for TCP-based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely.
Workaround:
Access to the vulnerable code can be prevented by preventing the X server from loading the Render extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the Render extension:
Section "Extensions"
Option "RENDER" "disable"
EndSection
Vendor response:
The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL.
http://lists.freedesktop.org/archives/xorg/2008-June/036026.html
CVE Information:
CVE-2008-2361
Render Extension AllocateGlyph() Integer Overflow Vulnerability
Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root.
The vulnerability exists within the AllocateGlyph() function, which is called from several request handlers in the render extension. This function takes several values from the request, and multiplies them together to calculate how much memory to allocate for a heap buffer. This calculation can overflow, which leads to a heap overflow.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the privileges of the X server, typically root. To exploit this vulnerability, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console. One method of gaining the required access is to remotely exploit a vulnerability in, for example, a graphical Web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root.
If an X Server is configured to listen for TCP-based client connections, and a client is granted access to create sessions (via the xhosts file), then these vulnerabilities can be exploited remotely.
Workaround:
Access to the vulnerable code can be prevented by preventing the X server from loading the Render extension. However, doing so may seriously impair the functionality of the server. Adding the following lines to the X configuration file will disable the Render extension:
Section "Extensions"
Option "RENDER" "disable"
EndSection
Vendor response:
The X.Org team has addressed this vulnerability by releasing patches for version 1.4 of the X server. For more information, consult the X.Org advisory at the following URL.
http://lists.freedesktop.org/archives/xorg/2008-June/036026.html
CVE Information:
CVE-2008-2360
|
|
|
|
|
