Thread-topic: iDefense Security Advisory 01.09.07: Multiple Vendor X Server RenderExtension ProcRenderAddGlyphs Memory Corruption Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, January 10, 2007 12:56 AM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 01.09.07: Multiple Vendor
> X Server RenderExtension ProcRenderAddGlyphs Memory
> Corruption Vulnerability
>
> Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory
> Corruption Vulnerability
>
> iDefense Security Advisory 01.09.07
>
> Jan 09, 2007
>
> I. BACKGROUND
>
> The X Window System is a graphical windowing system based on a
> client/server model. More information about about The X
> Window system is
> available at the following links.
>
>
>
> II. DESCRIPTION
>
> Local exploitation of a memory corruption vulnerability in the
> "ProcRenderAddGlyphs" function in the X.Org and XFree86 X server could
> allow an attacker to execute arbitrary code with privileges of the X
> server, typically root.
>
> This vulnerability specifically lies within the Render extension.
> Insufficient input validation exists when allocating memory for glyph
> management data structures. By sending a specially crafted X protocol
> request to the Render extension, an attacker can cause an exploitable
> memory corruption condition.
>
> III. ANALYSIS
>
> Successful exploitation allows an attacker to execute
> arbitrary as the root
> user. In order to exploit this vulnerability an attacker
> would require the
> ability to send commands to an affected X server. This
> typically requires
> access to the console, or access to the same account as a
> user who is on
> the console. One method of gaining the required access would be to
> remotely exploit a vulnerability in, for example, a graphical
> web browser.
> This would then allow an attacker to exploit this
> vulnerability and elevate
> their privileges to root.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability in
> the X.Org
> server version 7.1-1.1.0. Previous versions may also be affected.
>
> V. WORKAROUND
>
> Access to the vulnerable code can be prevented when the
> Render extension is
> not built into the X binary. This can be accomplished by
> removing the entry
> for the Render extension from your X server's configuration
> file, often
> stored in /etc/X11 and named xorg.conf or XF86Config-4. To do
> this, remove
> the following line from the 'Module' section:
>
> Load "render"
>
> This will prevent the Render extension from loading, which
> may affect the
> appearance or operation of some applications.
>
> VI. VENDOR RESPONSE
>
> The X.Org foundation has addressed this vulnerability within
> version 7.2
> RC3 of X.Org's X server. Additionally, patches have been made
> available
> for older releases.
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2006-6101 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 12/04/2006 Initial vendor notification
> 12/05/2006 Initial vendor response
> 01/09/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was discovered by Sean Larsson, iDefense Labs.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be
> accurate at
> the time of publishing based on currently available
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or
> reliance on, this
> information.
>
> _______________________________________________
> To unsubscribe, go here:
>
>
