Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 105781 Details for
Bug 157421
x11-base/xorg-server Multiple vulnerabilities in X.Org Render and DBE extensions (Vendor-Sec) (CVE-2006-610[1-3])
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Memory Corruption Vulnerability1.txt
Memory Corruption Vulnerability1.txt (text/plain), 5.99 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2007-01-07 12:35:45 UTC
(
hide
)
Description:
Memory Corruption Vulnerability1.txt
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2007-01-07 12:35:45 UTC
Size:
5.99 KB
patch
obsolete
>Multiple Vendor X Server Xdbe Extension 'ProcDbeSwapBuffers()' Memory Corruption >Vulnerability > >iDefense Security Advisory XX.XX.06 >http://www.idefense.com/intelligence/vulnerabilities/ >MMM DD, 2006 > >I. BACKGROUND > >The X Window System is a graphical windowing system based on a client/server >model. More information about about The X Window system is available at the >following link: > >http://en.wikipedia.org/wiki/X_Window_System > >II. DESCRIPTION > >Local exploitation of a memory corruption vulnerability in the >'ProcDbeSwapBuffers()' function in the X.Org and XFree86 X server could allow an >attacker to execute arbitrary code with privileges of the X server, typically >root. > >xorg-server-X11R7.1-1.1.0/dbe/dbe.c > >static int >ProcDbeSwapBuffers(ClientPtr client) >{ > REQUEST(xDbeSwapBuffersReq); > WindowPtr pWin; > DbeScreenPrivPtr pDbeScreenPriv; > DbeSwapInfoPtr swapInfo; > xDbeSwapInfo *dbeSwapInfo; > int error; > register int i, j; > int nStuff; > > > REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); >1] nStuff = stuff->n; /* use local variable for performance. */ > > if (nStuff == 0) > { > return(Success); > } > > /* Get to the swap info appended to the end of the request. */ > dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; > > /* Allocate array to record swap information. */ >2] swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); > if (swapInfo == NULL) > { > return(BadAlloc); > } > > > for (i = 0; i < nStuff; i++) > { > /* Check all windows to swap. */ > > /* Each window must be a valid window - BadWindow. */ >3] if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, > SecurityWriteAccess))) > { > DEALLOCATE_LOCAL(swapInfo); > return(BadWindow); > } > >.... > > /* Everything checks out OK. Fill in the swap info array. */ >4] swapInfo[i].pWindow = pWin; > swapInfo[i].swapAction = dbeSwapInfo[i].swapAction; > > > >1) This value is taken directly from the client's request buffer. > >2) This macro will call alloca() on systems that support it, or malloc() on >systems that do not. There are two vulnerabilities here. First there is an >integer overflow when multiplying the two operands. If nStuff is > 0xffffffff / >sizeof(DbeSwapInfoRec) the operation will overflow, and too little memory will >be allocated. If malloc() is being used then this is the only way to exploit >the vulnerability. The second vulnerability is passing a user controlled value >to the alloca() function. This function takes its argument and subtracts it >from the current stack pointer in order to allocate local storage dynamically >without using the heap. By passing alloca() a large unsigned value the stack >pointer can be set to nearly anywhere in the address space, including an area >outside of the actual stack segment. This address can then be overwritten with >arbitrary values. > >3) If alloca() is used then an attacker can trigger an overwrite of an arbitrary >address with arbitrary data when this function pushes its dbeSwapInfo[i].window >argument onto the stack. This value is supplied by the attacker. > >4) If malloc() is used then an attacker can trigger a heap overflow with data >they partially control. > >III. ANALYSIS > >Successful local exploitation allows an attacker to execute arbitrary as the >root user. In order to exploit this vulnerability an attacker would require the >ability to send commands to an affected X server. This typically requires access >to the console, or access to the same account as a user who is on the console. >One method of gaining the required access would be to remotely exploit a >vulnerability in, for example, a graphical web browser. Thiw would then allow an >attacker to exploit this vulnerability and elevate their privileges to root. > >As exploitation requires access to the X server, but typically gives local root, >iDefense considers this a MEDIUM-severity vulnerability. > >IV. DETECTION > >iDefense has confirmed the existance of this vulnerability in the X.org server >version 7.1-1.1.0. Previous versions may also be affected. > >V. WORKAROUND > >Disable loading of the dbe extension in the X configuration file. Depending on >the version of X being used this file name varies. Common names are: > >/etc/X11/xorg.conf >/etx/X11/XF86Config > >Removing the line: > >Load "dbe" > >from this file will stop the DBE extension from being loaded. > >VI. VENDOR RESPONSE > >[Quoted vendor response if available. Otherwise include vendor fix >details.] > >VII. CVE INFORMATION > >The Common Vulnerabilities and Exposures (CVE) project has assigned the >name CVE-2006-XXXX to this issue. This is a candidate for inclusion in >the CVE list (http://cve.mitre.org), which standardizes names for >security problems. > >[OR] > >A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not >been assigned yet. > >VIII. DISCLOSURE TIMELINE > >XX/XX/2006 Initial vendor notification >XX/XX/2006 Initial vendor response >XX/XX/2006 Coordinated public disclosure > >IX. CREDIT > >This vulnerability was discovered by Sean Larsson, iDefense Labs. > >Get paid for vulnerability research >http://www.idefense.com/methodology/vulnerability/vcp.php > >Free tools, research and upcoming events >http://labs.idefense.com/ > >X. LEGAL NOTICES > >Copyright © 2006 iDefense, Inc. > >Permission is granted for the redistribution of this alert >electronically. It may not be edited in any way without the express >written consent of iDefense. If you wish to reprint the whole or any >part of this alert in any other medium other than electronically, please >email customerservice@idefense.com for permission. > >Disclaimer: The information in the advisory is believed to be accurate >at the time of publishing based on currently available information. Use >of the information constitutes acceptance for use in an AS IS condition. >There are no warranties with regard to this information. Neither the >author nor the publisher accepts any liability for any direct, indirect, >or consequential loss or damage arising from use of, or reliance on, >this information.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=105781">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 157421
:
105779
| 105781 |
105783
|
105785
|
105885
|
105887
|
105889
|
105891
