SecuriTeam - X Server Extensions Memory Corruption Vulnerabilities

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

The X Window System is a graphical windowing system based on a client/server model.

Local exploitation of three different memory corruption vulnerabilities in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root.

Credit:
The original articles can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=463
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=464
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=465

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* X.Org server versions 7.1-1.1.0.
* Previous versions may also be affected.

Local exploitation of a memory corruption vulnerability in the "ProcRenderAddGlyphs" function lies within the Render extension. Insufficient input validation exists when allocating memory for glyph management data structures. (CVE-2006-6101)

Local exploitation of a memory corruption vulnerability in the "ProcDbeGetVisualInfo" function lies within the DBE extension. Insufficient input validation exists when allocating memory for data structures. (CVE-2006-6102)

Local exploitation of a memory corruption vulnerability in the "ProcDbeSwapBuffers" function lies within the DBE extension. Insufficient input validation exists when allocating memory for data structures. (CVE-2006-6103)

By sending a specially crafted X protocol request to specific extension, an attacker can cause an exploitable memory corruption condition.

Workaround:
Access to the vulnerable code can be prevented when the vulnerable extension is not built into the X binary. This can be accomplished by removing the entry for the DBE extension from your X server's configuration file, often stored in /etc/X11 and named xorg.conf or XF86Config-4. To do this, remove the following lines from the 'Module' section:
Load "DBE"
Load "render"

This will prevent the render extension from loading, which may affect the appearance or operation of some applications.

Disclosure Timeline:
* 12-04-06 - Initial vendor notification
* 12-05-06 - Initial vendor response
* 01-09-07 - Coordinated public disclosure

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities