SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   X Vendors:   X.org
X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1019232
SecurityTracker URL:  http://securitytracker.com/id/1019232
CVE Reference:   CVE-2007-5760, CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429, CVE-2008-0006   (Links to External Site)
Date:  Jan 17 2008
Impact:   Disclosure of system information, Disclosure of user information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.3
Description:   Several vulnerabilities were reported in X. A local user can obtain root privileges on the target system. A local user can determine whether certain files or directories exist on the target system.

A local user can exploit any of several memory corruption errors in the X server to execute arbitrary code with the privileges of the target X server (typically root level privileges).

A local user can supply a specially PassMessage request to cause an out-of-bounds array index error and trigger a pointer dereference in the XFree86 Misc extension [CVE-2007-5760].

A local user can supply a certain type of command ('X :1 -sp <file>') specifying an arbitrary file or directory to identify whether the specified file exists in access-restricted directories based on the error message returned by the system [CVE-2007-5958].

A local user can trigger a heap corruption error in the Xinput extension [CVE-2007-6427].

A local user can read arbitrary memory contents by exploiting the ProcGetReservedColormapEntries() function in the TOG-CUP extension [CVE-2007-6428].

A local user can supply a specially crafted request to trigger an integer overflow in the pixmap creation process in the MIT-SHM and EVI extensions [CVE-2007-6429].

A local user can supply a specially crafted PCF font to trigger a buffer overflow [CVE-2008-0006].

regenrecht reported CVE-2007-5760, CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429 via iDefense. Takuya Shiozaki of CodeBlog reported CVE-2008-0006. An anonymous researcher reported CVE-2007-5859.

Impact:   A local user can obtain root privileges on the target system.

A local user can determine whether files or directories exist on the target system.

Solution:   The vendor has issued a fixed version of Xserver (1.4.1).

Patches are available for versions 1.2 and 1.4:

ftp://ftp.freedesktop.org/pub/xorg/X11R7.2/patches/xorg-xserver-1.2-multiple-overflows.diff

MD5: 238affb8697e6f095dbb6fe66ceb7873
xorg-xserver-1.2-multiple-overflows.diff
SHA1: 6df37147742fcdf429cc980f1a528f1c888efdcb
xorg-xserver-1.2-multiple-overflows.diff

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows.diff

MD5: 7aadd3ead8c3bd098413fef91af7d35f
xorg-xserver-1.4-multiple-overflows.diff
SHA1: b3c9013aa6abc30fabd8f6a85e427f5fd6e6ef6c
xorg-xserver-1.4-multiple-overflows.diff

For CVE-2008-0006 the following patch for libXfont is also needed:

ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-libXfont-1.3.1-pcf-parser.diff

MD5: f6ea1bae4c5fb279e679fece589eaab6 xorg-libXfont-1.3.1-pcf-parser.diff
SHA1: 1d7a07ddb2efa8b56b51c7fad58b7e8e17c6421c
xorg-libXfont-1.3.1-pcf-parser.diff

The X advisory is available at:

http://lists.freedesktop.org/archives/xorg/2008-January/031918.html

Vendor URL:  lists.freedesktop.org/archives/xorg/2008-January/031918.html (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 17 2008 (Red Hat Issues Fix) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Jan 18 2008 (Red Hat Issues Fix) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Jan 18 2008 (Red Hat Issues Fix for libXfont) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for libXfont on Red Hat Enterprise Linux 5.
Jan 18 2008 (Sun Issues Fix for CVE-2007-5958) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges
Sun has issued a fix for Solaris 9 and T-Patches for the other versions.
Jan 18 2008 (Sun Describes Workaround) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges
Sun has issued an advisory describing a workaround for Solaris 8, 9, and 10.
Jan 18 2008 (Sun Describes Workaround) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges
Sun has issued an advisory describing a workaround for Solaris 8, 9, and 10.
Jan 18 2008 (Red Hat Issues Fix for XFree86) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for XFree86 on Red Hat Enterprise Linux 2.1 and 3.
Feb 28 2008 (IBM Issues Fix for AIX) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges
IBM has issued a fix for AIX 5.2, 5.3, and 6.1.
Nov 4 2008 (HP Issues Fix) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges
HP has issued a fix for HP-UX.
Dec 15 2011 (IBM Issues Fix for AIX) X Server Bugs in XFree86, Xinput, TOG-CUP, MIT-SHM, and EVI Extensions Let Local Users Gain Root Privileges
IBM has issued a fix for AIX 6.1 and 7.1.



 Source Message Contents

Date:  Thu, 17 Jan 2008 15:40:10 -0500
Subject:  iDefense Security Advisory 01.17.08: Multiple Vendor X Server XInput

iDefense Security Advisory 01.17.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 17, 2008

I. BACKGROUND

The X Window System (or X11) is a graphical windowing system used on
Unix-like systems. It is based on a client/server model. More
information about about The X Window system is available at the
following URL.

http://en.wikipedia.org/wiki/X_Window_System

II. DESCRIPTION

Local exploitation of multiple memory corruption vulnerabilities in the
X.Org X server, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
privileges of the X server, typically root.

Vulnerable code exists within multiple functions in the XInput
extension. By sending specially crafted X11 requests, an attacker is
able to corrupt heap memory located after their request data. This
results in a potentially exploitable condition.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with root
privileges. In order to exploit these vulnerabilities, an attacker must
be able to send commands to an affected X server. This typically
requires access to the console or access to the same account as a user
who is on the console.

If an X Server is configured to listen for TCP based client connections,
and a client is granted access to create sessions (via the xhosts file),
then these vulnerabilities can be exploited remotely.

IV. DETECTION

iDefense has confirmed the existence of these vulnerabilities in X.Org
X11 version R7.3. Previous versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue. The
XInput extension is normally compiled into the X Server; as such, it's
not possible to disable it from being loaded in the configuration file.

VI. VENDOR RESPONSE

The X.Org team has addressed these vulnerabilities with the release of
Xserver version 1.4.1. Additionally, patches for versions 1.4 and 1.2
have been made available. For more information, consult the X.Org
advisory at the following URL.

http://lists.freedesktop.org/archives/xorg/2008-January/031918.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-6427 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/29/2007  Initial vendor notification
12/04/2007  Initial vendor response
01/17/2008  Coordinated public disclosure

IX. CREDIT

These vulnerabilities were reported to VeriSign iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright  2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
To unsubscribe, go here:
http://www.idefense.com/mailman/listinfo/idlabs-advisories


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC