iDEFENSE Security Advisory 02.11.04: Exploitation of a buffer overflow in the XFree86 X Window System allows local attackers to gain root privileges. The vulnerability specifically exists in the use of the CopyISOLatin1Lowered() function with the 'font_name' buffer. While parsing a 'font.alias' file, the ReadFontAlias() function uses the length of the input string as the limit for the copy, instead of the size of the storage buffer. A malicious user may craft a malformed 'font.alias' file, causing a buffer overflow upon parsing and eventually leading to the execution of arbitrary code.
969dc5cfdd69d231c477b299e5f6ef17b853eac7ca564fd483dcefed01c82792
iDEFENSE Security Advisory 02.11.04:
XFree86 Font Information File Buffer Overflow II
http://www.idefense.com/application/poi/display?id=73
February 12, 2004
I. BACKGROUND
In short, XFree86 is an open source X11-based desktop infrastructure.
XFree86, provides a client/server interface between display hardware
(the mouse, keyboard, and video displays) and the desktop environment
while also providing both the windowing infrastructure and a
standardized application interface (API). XFree86 is platform
independent, network-transparent and extensible.
II. DESCRIPTION
Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
X Window System allows local attackers to gain root privileges.
The vulnerability specifically exists in the use of the
CopyISOLatin1Lowered() function with the 'font_name' buffer. While
parsing a 'font.alias' file, the ReadFontAlias() function uses the
length of the input string as the limit for the copy, instead of the
size of the storage buffer. A malicious user may craft a malformed
'font.alias' file, causing a buffer overflow upon parsing and eventually
leading to the execution of arbitrary code.
To reproduce the overflow on the command line:
# cat > fonts.dir <<EOF
1
word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
EOF
# perl -e 'print "data " . "0" x 2048 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD
In the function below, if lexToken is longer than MAXFONTNAMELEN*2
(2048 chars), an overflow occurs.
CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));
This is a related issue to that discussed in the iDEFENSE report
"XFree86 Font Information File Buffer Overflow"
(http://www.idefense.com/application/poi/display?id=72).
III. ANALYSIS
Successful exploitation requires that an attacker be able to execute
commands in the X11 subsystem. This can be done either by having console
access to the target or through a remote exploit against any X client
program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in XFree86
versions 4.1.0 to the current version 4.3.0. It is suspected that
earlier versions are vulnerable as well.
V. VENDOR RESPONSE
The patch for the problem is at
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff and
it is applicable to all affected XFree86 versions.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned CAN-2004-0084 to this issue.
VII. DISCLOSURE TIMELINE
February 9, 2004 Exploit acquired by iDEFENSE
February 9, 2004 Initial vendor notification
February 9, 2004 Response received from David Dawes at XFree86.org
February 10, 2004 iDEFENSE Clients notified
February 12, 2004 Public disclosure
VIII. CREDIT
Greg MacManus (iDEFENSE Labs) is credited with this discovery.