iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File Buffer Overflow II

From: iDefense Labs (labs_at_iDefense.com)
Date: 02/12/04

  • Next message: Gadi Evron: "W2K source "leaked"?"
    Date: Thu, 12 Feb 2004 13:01:25 -0500
    To: "full-disclosure@lists.netsys.com" <'full-disclosure@lists.netsys.com'>, <database@net-security.org>, <bugs@securitytracker.com>, <bugtraq@securityfocus.com>, "news@securiteam.com" <'news@securiteam.com'>
    
    

    iDEFENSE Security Advisory 02.11.04:

    XFree86 Font Information File Buffer Overflow II
    http://www.idefense.com/application/poi/display?id=73
    February 12, 2004

    I. BACKGROUND

    In short, XFree86 is an open source X11-based desktop infrastructure.

    XFree86, provides a client/server interface between display hardware
    (the mouse, keyboard, and video displays) and the desktop environment
    while also providing both the windowing infrastructure and a
    standardized application interface (API). XFree86 is platform
    independent, network-transparent and extensible.

    II. DESCRIPTION

    Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
    X Window System allows local attackers to gain root privileges.

    The vulnerability specifically exists in the use of the
    CopyISOLatin1Lowered() function with the 'font_name' buffer. While
    parsing a 'font.alias' file, the ReadFontAlias() function uses the
    length of the input string as the limit for the copy, instead of the
    size of the storage buffer. A malicious user may craft a malformed
    'font.alias' file, causing a buffer overflow upon parsing and eventually
    leading to the execution of arbitrary code.

    To reproduce the overflow on the command line:

    # cat > fonts.dir <<EOF
    1
    word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
    EOF
    # perl -e 'print "data " . "0" x 2048 . "A" x 96 . "\n"' > fonts.alias
    # X :0 -fp $PWD

    In the function below, if lexToken is longer than MAXFONTNAMELEN*2
    (2048 chars), an overflow occurs.

    CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));

    This is a related issue to that discussed in the iDEFENSE report
    "XFree86 Font Information File Buffer Overflow"
    (http://www.idefense.com/application/poi/display?id=72).

    III. ANALYSIS

    Successful exploitation requires that an attacker be able to execute
    commands in the X11 subsystem. This can be done either by having console
    access to the target or through a remote exploit against any X client
    program such as a web-browser, mail-reader or game. Successful
    exploitation yields root access.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability in XFree86
    versions 4.1.0 to the current version 4.3.0. It is suspected that
    earlier versions are vulnerable as well.

    V. VENDOR RESPONSE

    The patch for the problem is at
    ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff and
    it is applicable to all affected XFree86 versions.

    VI. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned CAN-2004-0084 to this issue.

    VII. DISCLOSURE TIMELINE

    February 9, 2004 Exploit acquired by iDEFENSE
    February 9, 2004 Initial vendor notification
    February 9, 2004 Response received from David Dawes at XFree86.org
    February 10, 2004 iDEFENSE Clients notified
    February 12, 2004 Public disclosure

    VIII. CREDIT

    Greg MacManus (iDEFENSE Labs) is credited with this discovery.


  • Next message: Gadi Evron: "W2K source "leaked"?"