xfree86 - buffer overflows, denial of service

Four vulnerabilities have been discovered in XFree86.

• CAN-2003-0063

• xterm window title reporting escape sequence can deceive user

The xterm package provides a terminal escape sequence that reports
the window title by injecting it into the input buffer of the
terminal window, as if the user had typed it. An attacker can craft
an escape sequence that sets the title of a victim’s xterm window to
an arbitrary string (such as a shell command) and then reports that
title. If the victim is at a shell prompt when this is done, the
injected command will appear on the command line, ready to be run.
Since it is not possible to embed a carriage return in the window
title, the attacker would have to convince the victim to press Enter
(or rely upon the victim’s careless or confusion) for the shell or
other interactive process to interpret the window title as user
input. It is conceivable that the attacker could craft other escape
sequences that might convince the victim to accept the injected
input, however. The Common Vulnerabilities and Exposures project at
cve.mitre.org has assigned the name
CAN-2003-0063
to this issue.

To determine whether your version of xterm is vulnerable to abuse of
the window title reporting feature, run the following command at a
shell prompt from within an xterm window:

echo -e “\e[21t”

(The terminal bell may ring, and the window title may be prefixed
with an “l”.)

This flaw is exploitable by anything that can send output to a
terminal window, such as a text document. The xterm user has to
take action to cause the escape sequence to be sent, however (such
as by viewing a malicious text document with the “cat” command).
Whether you are likely to be exposed to it depends on how you use
xterm. Consider the following:

echo -e ‘\e]2;s && echo rm -rf *\a’ > /tmp/sploit
echo -e ‘\e[21t’ >> /tmp/sploit
cat /tmp/sploit

Debian has resolved this problem by disabling the window title
reporting escape sequence in xterm; it is understood but ignored.
The escape sequence to set the window title has not been disabled.

A future release of the xterm package will have a configuration
option to permit the user to turn the window title reporting feature
back on, but it will default off.

• CAN-2003-0071

• xterm susceptible to DEC UDK escape sequence denial-of-service attack

The xterm package, since it emulates DEC VT-series text terminals,
emulates a feature of DEC VT terminals known as “User-Defined Keys”
(UDK for short). There is a bug in xterm’s handling of DEC UDK
escape sequences, however, and an ill-formed one can cause the xterm
process to enter a tight loop. This causes the process to “spin”,
consuming CPU cycles uselessly, and refusing to handle signals (such
as efforts to kill the process or close the window).

To determine whether your version of xterm is vulnerable to this
attack, run the following command at a shell prompt from within a
“sacrificial” xterm window (i.e., one that doesn’t have anything in
the scrollback buffer you might need to see later):

echo -e “\eP0;0|0A/17\x9c”

This flaw is exploitable by anything that can send output to a
terminal window, such as a text document. The xterm user has to
take action to cause the escape sequence to be sent, however (such
as by viewing a malicious text document with the “cat” command).
Whether you are likely to be exposed to it depends on how you use
xterm.

Debian has resolved this problem by backporting an upstream fix
to XFree86 4.1.0.

• CAN-2002-0164

• flaw in X server’s MIT-SHM extension permits user owning X session to read
  and write arbitrary shared memory segments

Most X servers descended from the MIT/X Consortium/X.Org Sample
Implementation, including XFree86’s X servers, support an extension
to the X protocol called MIT-SHM, which enables X clients running on
the same host as the X server to operate more quickly and
efficiently by taking advantage of an operating system feature
called shared memory where it is available. The Linux kernel, for
example, supports shared memory.

Because the X server runs with elevated privileges, the operating
system’s built-in access control mechanisms are ineffective to
police the X server’s usage of segments of shared memory. The X
server has to implement its own access control. This was
imperfectly done in previous releases of XFree86 (and the MIT/X
Consortium/X.Org Sample Implementation before it), leaving
opportunities for malicious X clients to read and alter shared
memory segments to which they should not have access. The Common
Vulnerabilities and Exposures project at cve.mitre.org has assigned
the name
CAN-2002-0164
to this issue.

Debian’s XFree86 4.1.0-16 packages shipped with an incomplete fix
for the this flaw, only enforcing proper access control for X
servers that were not started by a display manager (e.g., xdm).
This update resolves that problem.

The Debian Project knows of no exploits for this vulnerability. A
malicious X client that abused the MIT-SHM extension could
conceivably be written however, and run (deliberately or
unwittingly) by a user able to run an X server on a host. The
impact of this flaw depends on how shared memory is used on the
system. See the ipcs(8) manual page for more information.

Debian has resolved this problem by backporting an upstream fix to
XFree86 4.1.0.

• CAN-2003-0730

• multiple integer overflows in the font libraries for XFree86 allow local or
  remote attackers to cause a denial of service or execute arbitrary code via
  heap-based and stack-based buffer overflow attacks

Security researcher “blexim” wrote [paraphrased]:

>
> I have identified several bugs in the font libraries of the
> current version of the XFree86 source code. These bugs could
> potentially lead to the execution of arbitrary code by a remote
> user in any process which calls the functions in question. The
> functions are related to the transfer and enumeration of fonts
> from font servers to clients, limiting the range of the exposure
> caused by these bugs.
>
>
> Specifically, several sizing variables passed from a font server
> to a client are not adequately checked, causing calculations on
> them to result in erroneous values. These erroneous calculations
> can lead to buffers on the heap and stack overflowing, potentially
> leading to arbitrary code execution. As stated before, the risk
> is limited by the fact that only clients can be affected by these
> bugs, but in some (non-default) configurations, both xfs and the X
> server can act as clients to remote font servers. In these
> configurations, both xfs and the X server could be potentially
> compromised.
>
>
>

The Common Vulnerabilities and Exposures project at cve.mitre.org
has assigned the name
CAN-2003-0730
to this issue.

The Debian Project knows of no exploits for this vulnerability. By
default in Debian, X servers are configured to listen only to a
locally-running font server, which is not even used if the xfs
package is not installed. The Debian default configuration of xfs
uses only font directories on the local host, and does not attempt
to connect to any external font servers.

Debian has resolved this problem by backporting an upstream fix to
XFree86 4.1.0.

All of the above problems also affect the xfree86v3 packages (in the
case of the first two flaws, the xterm source code contains the flaws,
but no xterm package is produced). Due to resource limitations and a
lack of upstream support for this legacy code, Debian is unable to
continue supporting version 3.3.6 of XFree86. To avoid exposure to
the latter two flaws in this advisory, we recommend that you remove
the following packages if you have them installed:

• xserver-3dlabs
• xserver-8514
• xserver-agx
• xserver-common-v3
• xserver-fbdev
• xserver-i128
• xserver-mach32
• xserver-mach64
• xserver-mach8
• xserver-mono
• xserver-p9000
• xserver-s3
• xserver-s3v
• xserver-svga
• xserver-tga
• xserver-vga16
• xserver-w32

(You may also wish to remove the xext, xlib6, and xlib6-altdev packages,
as support for them is being terminated along with the rest of the
XFree86 3.3.6 packages, though they are not affected by the flaws in
this advisory.)

For the stable distribution (woody) these problems have been fixed in
version 4.1.0-16woody1.

For the unstable distribution (sid) all problems except
CAN-2003-0730
are fixed in version 4.2.1-11.
CAN-2003-0730
will be fixed in 4.2.1-12, currently in preparation.

We recommend that you update your xfree86 package.