Bug 413791 (CVE-2007-6428) - CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension
Summary: CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6428
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 419451 419461 419481 419501 419521 419531 429125 429126 429127
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-06 11:33 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
6 users (show)

Fixed In Version: 1.3.0.0-39.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-22 15:31:49 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0029 0 normal SHIPPED_LIVE Important: XFree86 security update 2008-01-19 02:59:54 UTC
Red Hat Product Errata RHSA-2008:0030 0 normal SHIPPED_LIVE Important: xorg-x11 security update 2008-01-19 02:20:50 UTC
Red Hat Product Errata RHSA-2008:0031 0 normal SHIPPED_LIVE Important: xorg-x11-server security update 2008-01-19 01:28:40 UTC

Description Tomas Hoger 2007-12-06 11:33:11 UTC
iDefense reported a vulnerability discovered by regenrecht affecting Xorg X server:

DESCRIPTION

Local exploitation of an information disclosure vulnerability in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to gain access to sensitive
information stored in server memory.

The vulnerable code exists within the ProcGetReservedColormapEntries()
function in the TOG-CUP extension. A 32-bit client supplied value is
taken directly from the request, and then used as an index into an
array. The value located at this index is then stored into a buffer
which is later sent to the client. This allows a client to read memory
from arbitrary locations in server memory.

The vulnerable code is shown below:

From Xext/cup.c:ProcGetReservedColormapEntries()

200  citems[CUP_BLACK_PIXEL].pixel =

201   screenInfo.screens[stuff->screen]->blackPixel;

202  citems[CUP_WHITE_PIXEL].pixel =

203   screenInfo.screens[stuff->screen]->whitePixel;

...

214  for (n = 0, cptr = citems; n < NUM_DESKTOP_COLORS; n++, cptr++) {

215   if (client->swapped) SwapColorItem (cptr);

216   WriteToClient (client, SIZEOF(xColorItem), (char *)cptr);

217  }

On lines 201 and 203, the stuff->screen value (taken from the client),
is used as an array index in the screenInfo.screens array. The value
read is then stored into the citems array. In the for loop below, the
citems array is sent to the client.

ANALYSIS

Exploitation allows an attacker to read arbitrary memory within the X
Server's address space. By itself, the impact of this vulnerability is
minimal. However, when coupled with a code execution vulnerability,
this vulnerability can be used to greatly increase the reliability of
an exploit. Additionally, this vulnerability can be used to crash the
server. If the server automatically restarts, this can be useful since
it resets the state of the server to a known state.

If an X Server is configured to listen for TCP based client connections,
and a client is granted access to create sessions (via the xhosts file),
then the vulnerability can be exploited remotely.

WORKAROUND

If the TOG-CUP extension has not been built-in to the server, then it
can be prevented from loading by inserting the following into the X
configuration file (usually in /etc/X11/xorg.conf):

Section "Module"

        SubSection "extmod"

                Option "omit TOG-CUP"

        EndSubSection

EndSection

To check if the extension is built-in to the server, grep the output of
the X Server log file:

grep built-in /var/log/Xorg.0.log

The result will list all built in extensions. The location of the log
file may need to be changed.

Comment 1 Tomas Hoger 2007-12-06 11:34:55 UTC
Upstream bug report:

  https://bugs.freedesktop.org/show_bug.cgi?id=13523

Comment 8 Yan Tian 2008-01-04 07:14:36 UTC
Verified patch 'freedesktop-bug-13523.patch' was included in
xorg-x11-6.8.2-1.0.2.EL.33, it fixed cup.c file.

Change the status to VERIFIED.



Comment 10 Yan Tian 2008-01-15 09:19:27 UTC
Verified patch 'freedesktop-bug-13523.patch' was excluded from
xorg-x11-6.8.2-1.EL.33.0.1.src.rpm. And the patch 'cve-2007-6428.patch' fixed
cup.c file.

Comment 14 Josh Bressers 2008-01-17 14:48:11 UTC
Lifting embargo:
http://lists.freedesktop.org/archives/xorg/2008-January/031918.html

Comment 16 Fedora Update System 2008-01-22 15:31:39 UTC
xorg-x11-server-1.3.0.0-39.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2008-01-22 15:49:10 UTC
xorg-x11-server-1.3.0.0-15.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.