[UNIX] Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability
------------------------------------------------------------------------


SUMMARY

The X Window System (or X11) is "a graphical windowing system used on
Unix-like systems. It is based on a client/server model". Local
exploitation of a memory corruption vulnerability in the multiple vendor's
X server implementations could allow an attacker to execute arbitrary code
with elevated privileges.

DETAILS

Vulnerable Systems:
* X.org server version 7.1-1.1.0

Immune Systems:
* X.org server version 7.1-1.1.1

The XC-MISC extension is used by the X Server to manage resource IDs. It
is built in to the X server by default.

The vulnerability exists in the ProcXCMiscGetXIDList() function in the
XC-MISC extension. This request is used to determine what resource IDs are
available for use.

Inside this function, the ALLOCATE_LOCAL() macro is used. This macro
allocates memory on the stack or heap depending on the availability of the
alloca() function. If alloca() is available, the stack is used, other wise
the heap is used.

Due to insufficient input validation, it is possible to cause memory
corruption by passing specially crafted values to the
ProcXCMiscGetXIDList() handler function.

Analysis:
Exploitation allows attackers to execute arbitrary code with elevated
privileges.

As the X11 server requires direct access to video hardware, it runs with
elevated privileges. A user compromising an X server would gain those
permissions.

In order to exploit this vulnerability an attacker would require the
ability to send commands to an affected X server. This typically requires
access to the console, or access to the same account as a user who is on
the console. One method of gaining the required access would be to
remotely exploit a vulnerability in, for example, a graphical web browser.
This would then allow an attacker to exploit this vulnerability and
elevate their privileges to root.

Attempts at exploiting this vulnerability may put the console into an
unusable state. This will not prevent repeated exploitation attempts.

Workaround:
iDefense is currently unaware of any workarounds for this issue.

Vendor response:
The X.Org Foundation has addressed this vulnerability with source code
patches. More information can be found from their advisory at the
following URL.
<http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html> http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003>
CVE-2007-1003

Disclosure timeline:
02/08/2007 - Initial vendor notification
02/09/2007 - Initial vendor response
04/03/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by Sean Larsson of iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=503>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=503



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages