XFree86 Font Information File Buffer Overflow Lets Local Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1008991 |
|
SecurityTracker URL: http://securitytracker.com/id/1008991
|
|
CVE Reference:
CAN-2004-0083
(Links to External Site)
|
Updated: Feb 16 2004
|
Original Entry Date: Feb 9 2004
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 4.3.99.903 Release Candidate
|
Description:
iDEFENSE reported a buffer overflow vulnerability in XFree in the parsing of the 'font.alias' file. A local user can gain root privileges on the target system.
It is reported that the X server does not validate the length of user-supplied input from the 'font.alias' file. A local user can create a specially crafted file that will trigger a buffer overflow when the X server parses the file. Arbitrary code can be executed with root privileges, according to the report.
The flaw reportedly resides in the 'xc/lib/font/fontfile/dirfile.c' file in the ReadFontAlias() function, where user-supplied input may overflow a fixed length buffer of MAXFONTNAMELEN (1024) characters.
The original iDEFENSE advisory is available at:
http://www.idefense.com/application/poi/display?id=72
The following notification timeline is provided:
February 3, 2004 Vendor notified
February 10, 2004 Public disclosure
|
Impact:
A local user can execute arbitrary code with root privileges.
|
Solution:
A patch is available at:
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff
A fix is available at:
ftp://ftp.xfree86.org/pub/XFree86/develsnaps/XFree86-4.3.99.903.tar.bz2
|
Vendor URL: www.xfree86.org/security/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 10 Feb 2004 15:30:08 -0500
Subject: iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 02.10.04
XFree86 Font Information File Buffer Overflow
http://www.idefense.com/application/poi/display?id=72
February 10, 2004
I. BACKGROUND
In short, XFree86 is an open source X11-based desktop infrastructure.
XFree86, provides a client/server interface between display hardware
(the mouse, keyboard, and video displays) and the desktop environment
while also providing both the windowing infrastructure and a
standardized application interface (API). XFree86 is platform
independent, network-transparent and extensible.
II. DESCRIPTION
Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
X Window System allows local attackers to gain root privileges.
The problem specifically exists in the parsing of the 'font.alias' file.
The X server (running as root) fails to check the length of user
provided input. A malicious user may craft a malformed 'font.alias'
file causing a buffer overflow upon parsing, eventually leading to the
execution of arbitrary code.
- - - From XFree86-4.2.1/xc/lib/font/fontfile/dirfile.c:
ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
{
char alias[MAXFONTNAMELEN];
The above code sets up the buffer that will be exploited directly in
front of the frame pointer and return address.
while (status == Successful) {
token = lexAlias(file, &lexToken);
lexAlias() reads an arbitrary length token from file, and returns a
pointer to it in &lexToken, without performing any bounds checking.
It then returns NAME when it reaches whitespace.
switch (token) {
case NAME:
strcpy(alias, lexToken);
If lexToken is longer than MAXFONTNAMELEN (1024 chars) an overflow
occurs.
To reproduce the overflow on the command line:
# cat > fonts.dir <<EOF
1
word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
EOF
# perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD
{Some output removed}
Caught signal 11.
Server aborting...
eip: 41414141 eflags: 00003282
{Some output removed}
Code: Segmentation fault (core dumped)
#
III. ANALYSIS
Successful exploitation requires that an attacker be able to execute
commands in the X11 subsystem. This can be done either by having console
access to the target or through a remote exploit against any X client
program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in XFree86
versions 4.1.0 to the current version 4.3.0. It is suspected that
earlier versions are vulnerable as well.
V. VENDOR RESPONSE
The patch for the problem is at
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff and
it is applicable to all affected XFree86 versions.
The change log entry is:
794. Fix font alias overrun.
See also http://www.xfree86.org/cvs/changes/ for changelog extracts for
the trunk and several branches. The patch has been applied to the
trunk and all of the 4.x release branches.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned CAN-2004-0083 to this issue.
VII. DISCLOSURE TIMELINE
January 9, 2004 Exploit acquired by iDEFENSE
February 3, 2004 Vendor notified
February 3, 2004 Response received from David Dawes at XFree86.org
February 4, 2004 iDEFENSE clients notified
February 10, 2004 Public disclosure
VIII. CREDIT
Greg MacManus (iDEFENSE Labs) is credited with the discovery of this
vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQCkyufrkky7kqW5PEQLonACfXr39VTFMM0siQ9qQG4ujRXKSTggAoLKi
gdS6+/EbfSpKM3TX1tzCsNfX
=F0Tw
-----END PGP SIGNATURE-----
|
|
