Well, score one point for the anti-"opensource is more secure" people.
:-(
LOTS of different *Nix's use XFree,
and vectors could be many.
patch, compile, install...
At least the "vendor" did not sit on the problem for six months... ;-)
-----Forwarded Message-----
> From: iDefense Labs <labs@iDefense.com>
> To: full-disclosure@lists.netsys.com <'full-disclosure@lists.netsys.com'>, database@net-security.org, bugs@securitytracker.com, bugtraq@securityfocus.com, news@securiteam.com <'news@securiteam.com'>
> Subject: iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow
> Date: Tue, 10 Feb 2004 15:30:08 -0500
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDEFENSE Security Advisory 02.10.04
>
> XFree86 Font Information File Buffer Overflow
> http://www.idefense.com/application/poi/display?id=72
> February 10, 2004
>
> I. BACKGROUND
>
> In short, XFree86 is an open source X11-based desktop infrastructure.
>
> XFree86, provides a client/server interface between display hardware
> (the mouse, keyboard, and video displays) and the desktop environment
> while also providing both the windowing infrastructure and a
> standardized application interface (API). XFree86 is platform
> independent, network-transparent and extensible.
>
> II. DESCRIPTION
>
> Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
> X Window System allows local attackers to gain root privileges.
>
> The problem specifically exists in the parsing of the 'font.alias' file.
> The X server (running as root) fails to check the length of user
> provided input. A malicious user may craft a malformed 'font.alias'
> file causing a buffer overflow upon parsing, eventually leading to the
> execution of arbitrary code.
>
> - - - From XFree86-4.2.1/xc/lib/font/fontfile/dirfile.c:
>
> ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
> {
> char alias[MAXFONTNAMELEN];
>
> The above code sets up the buffer that will be exploited directly in
> front of the frame pointer and return address.
>
> while (status == Successful) {
> token = lexAlias(file, &lexToken);
>
> lexAlias() reads an arbitrary length token from file, and returns a
> pointer to it in &lexToken, without performing any bounds checking.
> It then returns NAME when it reaches whitespace.
>
> switch (token) {
> case NAME:
> strcpy(alias, lexToken);
>
> If lexToken is longer than MAXFONTNAMELEN (1024 chars) an overflow
> occurs.
>
> To reproduce the overflow on the command line:
>
> # cat > fonts.dir <<EOF
> 1
> word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
> EOF
> # perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias
> # X :0 -fp $PWD
>
> {Some output removed}
>
> Caught signal 11.
>
> Server aborting...
>
> eip: 41414141 eflags: 00003282
>
> {Some output removed}
>
> Code: Segmentation fault (core dumped)
> #
>
> III. ANALYSIS
>
> Successful exploitation requires that an attacker be able to execute
> commands in the X11 subsystem. This can be done either by having console
> access to the target or through a remote exploit against any X client
> program such as a web-browser, mail-reader or game. Successful
> exploitation yields root access.
>
> IV. DETECTION
>
> iDEFENSE has confirmed the existence of this vulnerability in XFree86
> versions 4.1.0 to the current version 4.3.0. It is suspected that
> earlier versions are vulnerable as well.
>
> V. VENDOR RESPONSE
>
> The patch for the problem is at
> ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff and
> it is applicable to all affected XFree86 versions.
>
> The change log entry is:
>
> 794. Fix font alias overrun.
>
> See also http://www.xfree86.org/cvs/changes/ for changelog extracts for
> the trunk and several branches. The patch has been applied to the
> trunk and all of the 4.x release branches.
>
> VI. CVE INFORMATION
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned CAN-2004-0083 to this issue.
>
> VII. DISCLOSURE TIMELINE
>
> January 9, 2004 Exploit acquired by iDEFENSE
> February 3, 2004 Vendor notified
> February 3, 2004 Response received from David Dawes at XFree86.org
> February 4, 2004 iDEFENSE clients notified
> February 10, 2004 Public disclosure
>
> VIII. CREDIT
>
> Greg MacManus (iDEFENSE Labs) is credited with the discovery of this
> vulnerability.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQCkyufrkky7kqW5PEQLonACfXr39VTFMM0siQ9qQG4ujRXKSTggAoLKi
> gdS6+/EbfSpKM3TX1tzCsNfX
> =F0Tw
> -----END PGP SIGNATURE-----
>
>
>
>
>
>
>
>
-- "To announce that there must be no criticism of the president, or that we are to stand by the president right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public." - Theodore Roosevelt "We must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist." - Dwight Eisenhower ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.Received on Tue Feb 10 14:57:08 2004
This archive was generated by hypermail 2.1.8 : Tue Feb 10 2004 - 14:57:09 PST