Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability
4 Apr. 2007
The X Window System (or X11) is "a graphical windowing system used on Unix-like systems. It is based on a client/server model". Local exploitation of an integer overflow vulnerability in multiple vendors' implementations of the X Window System server BDF font parsing component could allow execution of arbitrary commands with elevated privileges.
The vulnerability specifically exists in the parsing of BDF fonts. When the X server encounters a specially crafted BDF font, an integer overflow occurs leading to a potentially exploitable heap overflow condition.
Exploitation allows attackers to execute arbitrary code with elevated privileges.
As the X11 server requires direct access to video hardware, it runs with elevated privileges. A user compromising an X server would gain those permissions.
In order to exploit this vulnerability, an attacker would need to be able to cause the X server to use a maliciously constructed font. The X11 server contains multiple methods for a user to define additional paths to look for fonts. An exploit has been developed using the "-fp" command line option to the X11 server to pass the location of the attack to the server. It is also possible to use "xset" command with the "fp" option to perform an attack on an already running server.
Some distributions allow users to start the X11 server only if they are logged on at the console, while others will allow any user to start it.
Attempts at exploiting this vulnerability may put the console into an unusable state. This will not prevent repeated exploitation attempts.
iDefense is currently unaware of any effective workaround for this issue.