iDefense reported a vulnerability discovered by regenrecht affecting Xorg X server: DESCRIPTION Local exploitation of an information disclosure vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to gain access to sensitive information stored in server memory. The vulnerable code exists within the ProcGetReservedColormapEntries() function in the TOG-CUP extension. A 32-bit client supplied value is taken directly from the request, and then used as an index into an array. The value located at this index is then stored into a buffer which is later sent to the client. This allows a client to read memory from arbitrary locations in server memory. The vulnerable code is shown below: From Xext/cup.c:ProcGetReservedColormapEntries() 200 citems[CUP_BLACK_PIXEL].pixel = 201 screenInfo.screens[stuff->screen]->blackPixel; 202 citems[CUP_WHITE_PIXEL].pixel = 203 screenInfo.screens[stuff->screen]->whitePixel; ... 214 for (n = 0, cptr = citems; n < NUM_DESKTOP_COLORS; n++, cptr++) { 215 if (client->swapped) SwapColorItem (cptr); 216 WriteToClient (client, SIZEOF(xColorItem), (char *)cptr); 217 } On lines 201 and 203, the stuff->screen value (taken from the client), is used as an array index in the screenInfo.screens array. The value read is then stored into the citems array. In the for loop below, the citems array is sent to the client. ANALYSIS Exploitation allows an attacker to read arbitrary memory within the X Server's address space. By itself, the impact of this vulnerability is minimal. However, when coupled with a code execution vulnerability, this vulnerability can be used to greatly increase the reliability of an exploit. Additionally, this vulnerability can be used to crash the server. If the server automatically restarts, this can be useful since it resets the state of the server to a known state. If an X Server is configured to listen for TCP based client connections, and a client is granted access to create sessions (via the xhosts file), then the vulnerability can be exploited remotely. WORKAROUND If the TOG-CUP extension has not been built-in to the server, then it can be prevented from loading by inserting the following into the X configuration file (usually in /etc/X11/xorg.conf): Section "Module" SubSection "extmod" Option "omit TOG-CUP" EndSubSection EndSection To check if the extension is built-in to the server, grep the output of the X Server log file: grep built-in /var/log/Xorg.0.log The result will list all built in extensions. The location of the log file may need to be changed.
Upstream bug report: https://bugs.freedesktop.org/show_bug.cgi?id=13523
Verified patch 'freedesktop-bug-13523.patch' was included in xorg-x11-6.8.2-1.0.2.EL.33, it fixed cup.c file. Change the status to VERIFIED.
Verified patch 'freedesktop-bug-13523.patch' was excluded from xorg-x11-6.8.2-1.EL.33.0.1.src.rpm. And the patch 'cve-2007-6428.patch' fixed cup.c file.
Lifting embargo: http://lists.freedesktop.org/archives/xorg/2008-January/031918.html
xorg-x11-server-1.3.0.0-39.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
xorg-x11-server-1.3.0.0-15.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0031.html http://rhn.redhat.com/errata/RHSA-2008-0030.html http://rhn.redhat.com/errata/RHSA-2008-0029.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0831 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0760