Bug 413791 - (CVE-2007-6428) CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension
CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20071204,pu...
: Security
Depends On: 419451 419461 419481 419501 419521 419531 429125 429126 429127
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-06 06:33 EST by Tomas Hoger
Modified: 2016-06-17 17:08 EDT (History)
6 users (show)

See Also:
Fixed In Version: 1.3.0.0-39.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-22 10:31:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-12-06 06:33:11 EST
iDefense reported a vulnerability discovered by regenrecht affecting Xorg X server:

DESCRIPTION

Local exploitation of an information disclosure vulnerability in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to gain access to sensitive
information stored in server memory.

The vulnerable code exists within the ProcGetReservedColormapEntries()
function in the TOG-CUP extension. A 32-bit client supplied value is
taken directly from the request, and then used as an index into an
array. The value located at this index is then stored into a buffer
which is later sent to the client. This allows a client to read memory
from arbitrary locations in server memory.

The vulnerable code is shown below:

From Xext/cup.c:ProcGetReservedColormapEntries()

200  citems[CUP_BLACK_PIXEL].pixel =

201   screenInfo.screens[stuff->screen]->blackPixel;

202  citems[CUP_WHITE_PIXEL].pixel =

203   screenInfo.screens[stuff->screen]->whitePixel;

...

214  for (n = 0, cptr = citems; n < NUM_DESKTOP_COLORS; n++, cptr++) {

215   if (client->swapped) SwapColorItem (cptr);

216   WriteToClient (client, SIZEOF(xColorItem), (char *)cptr);

217  }

On lines 201 and 203, the stuff->screen value (taken from the client),
is used as an array index in the screenInfo.screens array. The value
read is then stored into the citems array. In the for loop below, the
citems array is sent to the client.

ANALYSIS

Exploitation allows an attacker to read arbitrary memory within the X
Server's address space. By itself, the impact of this vulnerability is
minimal. However, when coupled with a code execution vulnerability,
this vulnerability can be used to greatly increase the reliability of
an exploit. Additionally, this vulnerability can be used to crash the
server. If the server automatically restarts, this can be useful since
it resets the state of the server to a known state.

If an X Server is configured to listen for TCP based client connections,
and a client is granted access to create sessions (via the xhosts file),
then the vulnerability can be exploited remotely.

WORKAROUND

If the TOG-CUP extension has not been built-in to the server, then it
can be prevented from loading by inserting the following into the X
configuration file (usually in /etc/X11/xorg.conf):

Section "Module"

        SubSection "extmod"

                Option "omit TOG-CUP"

        EndSubSection

EndSection

To check if the extension is built-in to the server, grep the output of
the X Server log file:

grep built-in /var/log/Xorg.0.log

The result will list all built in extensions. The location of the log
file may need to be changed.
Comment 1 Tomas Hoger 2007-12-06 06:34:55 EST
Upstream bug report:

  https://bugs.freedesktop.org/show_bug.cgi?id=13523
Comment 8 Yan Tian 2008-01-04 02:14:36 EST
Verified patch 'freedesktop-bug-13523.patch' was included in
xorg-x11-6.8.2-1.0.2.EL.33, it fixed cup.c file.

Change the status to VERIFIED.

Comment 10 Yan Tian 2008-01-15 04:19:27 EST
Verified patch 'freedesktop-bug-13523.patch' was excluded from
xorg-x11-6.8.2-1.EL.33.0.1.src.rpm. And the patch 'cve-2007-6428.patch' fixed
cup.c file.
Comment 14 Josh Bressers 2008-01-17 09:48:11 EST
Lifting embargo:
http://lists.freedesktop.org/archives/xorg/2008-January/031918.html
Comment 16 Fedora Update System 2008-01-22 10:31:39 EST
xorg-x11-server-1.3.0.0-39.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2008-01-22 10:49:10 EST
xorg-x11-server-1.3.0.0-15.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.