iDEFENSE Security Advisory 02.11.04:

XFree86 Font Information File Buffer Overflow II
http://www.idefense.com/application/poi/display?id=73
February 12, 2004

I. BACKGROUND

In short, XFree86 is an open source X11-based desktop infrastructure.

XFree86, provides a client/server interface between display hardware
(the mouse, keyboard, and video displays) and the desktop environment
while also providing both the windowing infrastructure and a
standardized application interface (API). XFree86 is platform
independent, network-transparent and extensible.

II. DESCRIPTION

Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
X Window System allows local attackers to gain root privileges.

The vulnerability specifically exists in the use of the
CopyISOLatin1Lowered() function with the 'font_name' buffer. While
parsing a 'font.alias' file, the ReadFontAlias() function uses the
length of the input string as the limit for the copy, instead of the
size of the storage buffer. A malicious user may craft a malformed
'font.alias' file, causing a buffer overflow upon parsing and eventually
leading to the execution of arbitrary code.

To reproduce the overflow on the command line:

# cat > fonts.dir <<EOF
1
word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
EOF
# perl -e 'print "data " . "0" x 2048 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD

In the function below, if lexToken is longer than MAXFONTNAMELEN*2
(2048 chars), an overflow occurs.

CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));

This is a related issue to that discussed in the iDEFENSE report
"XFree86 Font Information File Buffer Overflow"
(http://www.idefense.com/application/poi/display?id=72).

III. ANALYSIS

Successful exploitation requires that an attacker be able to execute
commands in the X11 subsystem. This can be done either by having console
access to the target or through a remote exploit against any X client
program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in XFree86
versions 4.1.0 to the current version 4.3.0. It is suspected that
earlier versions are vulnerable as well.

V. VENDOR RESPONSE

The patch for the problem is at
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff and
it is applicable to all affected XFree86 versions.

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned CAN-2004-0084 to this issue.

VII. DISCLOSURE TIMELINE

February 9, 2004    Exploit acquired by iDEFENSE
February 9, 2004    Initial vendor notification
February 9, 2004    Response received from David Dawes at XFree86.org
February 10, 2004   iDEFENSE Clients notified
February 12, 2004   Public disclosure

VIII. CREDIT

Greg MacManus (iDEFENSE Labs) is credited with this discovery.