xfstt-1.4 vulnerability

From: ruben unteregger (ruben.unteregger_at_era-it.ch)
Date: 07/15/03

Next message: Conectiva Updates: "[CLA-2003:695] Conectiva Security Announcement - mpg123"

Previous message: Marek Bialoglowy: "Internet Explorer Full-Screen mode threats"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 15 Jul 2003 00:38:20 +0200
To: bugtraq@securityfocus.com

---------------------------------------------------------------
ERA IT Solutions AG http://www.era-it.ch

Security Advisory - xfstt-1.4 vulnerability - 11/07/2003
---------------------------------------------------------------

1. Vulnerability description
2. Impact
3. Notification status
4. Exploit status
5. Contact

---------------------------------------------------------------

1. Vulnerability description

The X Fontserver for Truetype fonts 1.4
(http://developer.berlios.de/projects/xfstt/
<http://freshmeat.net/redir/xfstt/11925/url_homepage/xfstt>) contains
vulnerability
holes which can be initiated remotely.

In xfstt.cc:working() the switch(buf[0]) { .. } statement is very
insecurely
implemented. No boundary checks on any network-received buffers are done.
At least in two cases, namely FS_QueryXExtents8 and FS_QueryXBitmaps8,
it is possible
to arrange a packet which sets 'req->num_ranges' to a very big number
that causes an
array out of boundary access within the next for-loop. This bug leads to
a segmentation
fault of the specific child and might even let an attacker execute
arbitrary code.

2. Impact

It's yet unclear if this bug is exploitable or not. With a specially crafted
packet you can disable/DoS the daemon.

3. Notification status

The Author of xfstt (Guillem Jover) has been notified on May 28, 2003.
There is no
patch available, though version 1.5 is soon to be released.

4. Exploit status

A proof-of-concept DoS exploit exists, albeit unreleased.

5. Contact

era@era-it.ch

---------------------------------------------------------------

Thanks to Jonathan Heusser who originally found this bug.

Next message: Conectiva Updates: "[CLA-2003:695] Conectiva Security Announcement - mpg123"

Previous message: Marek Bialoglowy: "Internet Explorer Full-Screen mode threats"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

DMA[2005-0103a] - William LeFebvre "top" format string vulnerability
... Over four years later the vulnerability ... Recently LeFebvre was notified about the bug ... I'm going to assume that top needs to run setuid to root, ... install top setuid root. ...
(Bugtraq)
[Full-Disclosure] DMA[2005-0103a] - William LeFebvre "top" format string vulnerability
... Over four years later the vulnerability ... Recently LeFebvre was notified about the bug ... I'm going to assume that top needs to run setuid to root, ... install top setuid root. ...
(Full-Disclosure)
[NT] Technical Description of the SSL PCT Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... thorough and detailed analysis of the vulnerability in MS's SSL library is ... the variable N is taken from the packet itself. ... In this context a "valid field value" is one that allows the execution ...
(Securiteam)
[NT] Timbuktu Pro Path Traversal and Log Injection
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Several fields of the packet ... The other bug is a logging file content manipulation vulnerability ... chunk should be set ...
(Securiteam)
Re: [Full-disclosure] iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2
... Looks like this is a Webkit bug, ... Vulnerability Report ... iPhone 3G ... launching the SMS application. ...
(Full-Disclosure)