exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2004-02-11.t

iDEFENSE Security Advisory 2004-02-11.t
Posted Feb 12, 2004
Authored by iDefense Labs | Site idefense.com

iDEFENSE Security Advisory 02.11.04: Exploitation of a buffer overflow in the XFree86 X Window System allows local attackers to gain root privileges. The vulnerability specifically exists in the use of the CopyISOLatin1Lowered() function with the 'font_name' buffer. While parsing a 'font.alias' file, the ReadFontAlias() function uses the length of the input string as the limit for the copy, instead of the size of the storage buffer. A malicious user may craft a malformed 'font.alias' file, causing a buffer overflow upon parsing and eventually leading to the execution of arbitrary code.

tags | advisory, overflow, arbitrary, local, root
SHA-256 | 969dc5cfdd69d231c477b299e5f6ef17b853eac7ca564fd483dcefed01c82792

iDEFENSE Security Advisory 2004-02-11.t

Change Mirror Download
iDEFENSE Security Advisory 02.11.04:

XFree86 Font Information File Buffer Overflow II
http://www.idefense.com/application/poi/display?id=73
February 12, 2004

I. BACKGROUND

In short, XFree86 is an open source X11-based desktop infrastructure.

XFree86, provides a client/server interface between display hardware
(the mouse, keyboard, and video displays) and the desktop environment
while also providing both the windowing infrastructure and a
standardized application interface (API). XFree86 is platform
independent, network-transparent and extensible.

II. DESCRIPTION

Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
X Window System allows local attackers to gain root privileges.

The vulnerability specifically exists in the use of the
CopyISOLatin1Lowered() function with the 'font_name' buffer. While
parsing a 'font.alias' file, the ReadFontAlias() function uses the
length of the input string as the limit for the copy, instead of the
size of the storage buffer. A malicious user may craft a malformed
'font.alias' file, causing a buffer overflow upon parsing and eventually
leading to the execution of arbitrary code.

To reproduce the overflow on the command line:

# cat > fonts.dir <<EOF
1
word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
EOF
# perl -e 'print "data " . "0" x 2048 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD

In the function below, if lexToken is longer than MAXFONTNAMELEN*2
(2048 chars), an overflow occurs.

CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));

This is a related issue to that discussed in the iDEFENSE report
"XFree86 Font Information File Buffer Overflow"
(http://www.idefense.com/application/poi/display?id=72).

III. ANALYSIS

Successful exploitation requires that an attacker be able to execute
commands in the X11 subsystem. This can be done either by having console
access to the target or through a remote exploit against any X client
program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in XFree86
versions 4.1.0 to the current version 4.3.0. It is suspected that
earlier versions are vulnerable as well.

V. VENDOR RESPONSE

The patch for the problem is at
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff and
it is applicable to all affected XFree86 versions.

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned CAN-2004-0084 to this issue.

VII. DISCLOSURE TIMELINE

February 9, 2004 Exploit acquired by iDEFENSE
February 9, 2004 Initial vendor notification
February 9, 2004 Response received from David Dawes at XFree86.org
February 10, 2004 iDEFENSE Clients notified
February 12, 2004 Public disclosure

VIII. CREDIT

Greg MacManus (iDEFENSE Labs) is credited with this discovery.
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close