ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 01.09.07: Multiple Vendor X Server RenderExtension ProcRenderAddGlyphs Memory Corruption Vulnerability



> -----Original Message-----
> From: 
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com 
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, January 10, 2007 12:56 AM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 01.09.07: Multiple Vendor 
> X Server RenderExtension ProcRenderAddGlyphs Memory 
> Corruption Vulnerability
> 
> Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory
> Corruption Vulnerability
> 
> iDefense Security Advisory 01.09.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jan 09, 2007
> 
> I. BACKGROUND
> 
> The X Window System is a graphical windowing system based on a
> client/server model. More information about about The X 
> Window system is
> available at the following links.
> 
> http://en.wikipedia.org/wiki/X_Window_System
> 
> II. DESCRIPTION
> 
> Local exploitation of a memory corruption vulnerability in the
> "ProcRenderAddGlyphs" function in the X.Org and XFree86 X server could
> allow an attacker to execute arbitrary code with privileges of the X
> server, typically root.
> 
> This vulnerability specifically lies within the Render extension.
> Insufficient input validation exists when allocating memory for glyph
> management data structures. By sending a specially crafted X protocol
> request to the Render extension, an attacker can cause an exploitable
> memory corruption condition.
> 
> III. ANALYSIS
> 
> Successful exploitation allows an attacker to execute 
> arbitrary as the root
> user. In order to exploit this vulnerability an attacker 
> would require the
> ability to send commands to an affected X server. This 
> typically requires
> access to the console, or access to the same account as a 
> user who is on
> the console. One method of gaining the required access would be to
> remotely exploit a vulnerability in, for example, a graphical 
> web browser.
> This would then allow an attacker to exploit this 
> vulnerability and elevate
> their privileges to root.
> 
> IV. DETECTION
> 
> iDefense has confirmed the existence of this vulnerability in 
> the X.Org
> server version 7.1-1.1.0. Previous versions may also be affected.
> 
> V. WORKAROUND
> 
> Access to the vulnerable code can be prevented when the 
> Render extension is
> not built into the X binary. This can be accomplished by 
> removing the entry
> for the Render extension from your X server's configuration 
> file, often
> stored in /etc/X11 and named xorg.conf or XF86Config-4. To do 
> this, remove
> the following line from the 'Module' section:
> 
> Load "render"
> 
> This will prevent the Render extension from loading, which 
> may affect the
> appearance or operation of some applications.
> 
> VI. VENDOR RESPONSE
> 
> The X.Org foundation has addressed this vulnerability within 
> version 7.2
> RC3 of X.Org's X server. Additionally, patches have been made 
> available
> for older releases.
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2006-6101 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 12/04/2006  Initial vendor notification
> 12/05/2006  Initial vendor response
> 01/09/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> This vulnerability was discovered by Sean Larsson, iDefense Labs.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2006 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert 
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of 
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be 
> accurate at
> the time of publishing based on currently available 
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any 
> direct, indirect,
> or consequential loss or damage arising from use of, or 
> reliance on, this
> information.
> 
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
> 



 




Copyright © Lexa Software, 1996-2009.