BID:25898

X.Org X Font Server Multiple Memory Corruption Vulnerabilities

Info

X.Org X Font Server Multiple Memory Corruption Vulnerabilities

Bugtraq ID:	25898
Class:	Unknown
CVE:	CVE-2007-4568 CVE-2007-4990
Remote:	Yes
Local:	Yes
Published:	Oct 02 2007 12:00AM
Updated:	Mar 19 2008 02:10AM
Credit:	These vulnerabilities were discovered by Sean Larsson of VeriSign iDefense Labs.
Vulnerable:	X.org xfs 1.0.4 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise Desktop 10 SP1 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10_x86 Sun Solaris 10.0_x86 Sun Solaris 10.0 Sun Solaris 10 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 S.u.S.E. Linux Enterprise Server 10.SP1 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Desktop 4.0 RedHat Advanced Workstation for the Itanium Processor 2.1 IA64 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Fedora 7 Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 IBM AIX 5.3 IBM AIX 5.2 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya Proactive Contact 0 Avaya Predictive Dialer 0 Apple Mac OS X Server 10.5.1 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.5 Apple Mac OS X 10.5.1 Apple Mac OS X 10.4.11 Apple Mac OS X 10.5

Not Vulnerable:	X.org xfs 1.0.5 Apple Mac OS X Server 10.5.2 Apple Mac OS X 10.5.2

Discussion

X.Org X Font Server Multiple Memory Corruption Vulnerabilities

X.Org X Font Server (XFS) is prone to multiple memory-corruption vulnerabilities, including an integer-overflow issue and a heap-based memory-corruption issue.

An attacker could exploit this issue to execute arbitrary code with the privileges of the X Font Server. Failed exploit attempts will likely result in a denial-of-service condition.

NOTE: These issues are exploitable remotely only on Solaris operating systems; by default the server is listening on TCP port 7100. For other UNIX-like operating systems, an attacker can exploit these issues only locally.

These issues affect X Font Server 1.0.4; prior versions may also be affected.

Exploit / POC

X.Org X Font Server Multiple Memory Corruption Vulnerabilities

The following exploit module, which is reported to work on Solaris 8 and 10 installations, is available for members of the Immunity Partner's program:

https://www.immunityinc.com/downloads/immpartners/xfs_swapchar2b.tgz

Solution / Fix

X.Org X Font Server Multiple Memory Corruption Vulnerabilities

Solution:
The vendor released an update to address these issues. Please see the references for more information.

Sun Solaris 8_sparc