Signature Detail

X11: X.Org X Font Server QueryXBitmaps and QueryXExtents Handlers Integer Overflow

There exists multiple vulnerabilities in the way X.Org Font Server handles incoming QueryXExtents8, QueryXExtents16, QueryXBitmaps8 and QueryXBitmaps1 protocol requests. More specifically, the vulnerability is due to lack of proper validation on the NumberOfRanges field of the mentioned requests. By sending specially crafted requests, an unauthenticated remote attacker can leverage this flaw to execute arbitrary code on the target host with root or System level privileges. In an attack case where code injection is not successful, the affected service will terminate unexpectedly. This will create a denial of service condition of the affected service. In a more sophisticated attack where code injection results in successful process flow diverting, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the running process, normally System.

Extended Description

X.Org X Font Server (XFS) is prone to multiple memory-corruption vulnerabilities, including an integer-overflow issue and a heap-based memory-corruption issue. An attacker could exploit this issue to execute arbitrary code with the privileges of the X Font Server. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: These issues are exploitable remotely only on Solaris operating systems; by default the server is listening on TCP port 7100. For other UNIX-like operating systems, an attacker can exploit these issues only locally. These issues affect X Font Server 1.0.4; prior versions may also be affected.

Affected Products

• Apple Mac OS X 10.4.11
• Apple Mac OS X 10.5
• Apple Mac OS X 10.5.1
• Apple Mac OS X Server 10.4.11
• Apple Mac OS X Server 10.5
• Apple Mac OS X Server 10.5.1
• Avaya Predictive Dialer
• Avaya Proactive Contact
• Debian Linux 3.1.0
• Debian Linux 3.1.0 Alpha
• Debian Linux 3.1.0 Amd64
• Debian Linux 3.1.0 Arm
• Debian Linux 3.1.0 Hppa
• Debian Linux 3.1.0 Ia-32
• Debian Linux 3.1.0 Ia-64
• Debian Linux 3.1.0 M68k
• Debian Linux 3.1.0 Mips
• Debian Linux 3.1.0 Mipsel
• Debian Linux 3.1.0 Ppc
• Debian Linux 3.1.0 S/390
• Debian Linux 3.1.0 Sparc
• Debian Linux 4.0
• Debian Linux 4.0 Alpha
• Debian Linux 4.0 Amd64
• Debian Linux 4.0 Arm
• Debian Linux 4.0 Hppa
• Debian Linux 4.0 Ia-32
• Debian Linux 4.0 Ia-64
• Debian Linux 4.0 M68k
• Debian Linux 4.0 Mips
• Debian Linux 4.0 Mipsel
• Debian Linux 4.0 Powerpc
• Debian Linux 4.0 S/390
• Debian Linux 4.0 Sparc
• Gentoo Linux
• HP HP-UX B.11.11
• HP HP-UX B.11.23
• HP HP-UX B.11.31
• IBM AIX 5.2
• IBM AIX 5.3
• Mandriva Corporate Server 3.0.0
• Mandriva Corporate Server 3.0.0 X86 64
• Mandriva Corporate Server 4.0
• Mandriva Corporate Server 4.0.0 X86 64
• Mandriva Linux Mandrake 2007.0
• Mandriva Linux Mandrake 2007.0 X86 64
• Mandriva Linux Mandrake 2007.1
• Mandriva Linux Mandrake 2007.1 X86 64
• Red Hat Advanced Workstation for the Itanium Processor 2.1.0
• Red Hat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• Red Hat Desktop 4.0.0
• Red Hat Enterprise Linux AS 2.1
• Red Hat Enterprise Linux AS 2.1 IA64
• Red Hat Enterprise Linux AS 3
• Red Hat Enterprise Linux AS 4
• Red Hat Enterprise Linux ES 2.1
• Red Hat Enterprise Linux ES 2.1 IA64
• Red Hat Enterprise Linux ES 3
• Red Hat Enterprise Linux ES 4
• Red Hat Enterprise Linux WS 2.1
• Red Hat Enterprise Linux WS 2.1 IA64
• Red Hat Enterprise Linux WS 3
• Red Hat Enterprise Linux WS 4
• Red Hat Fedora 7
• rPath rPath Linux 1
• Sun Solaris 10 X86
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86
• Sun Solaris 9 Sparc
• Sun Solaris 9 X86
• SuSE Linux 10.0 Ppc
• SuSE Linux 10.0 X86
• SuSE Linux 10.0 X86-64
• SuSE Linux 10.1 Ppc
• SuSE Linux 10.1 X86
• SuSE Linux 10.1 X86-64
• SuSE openSUSE 10.2
• SuSE openSUSE 10.3
• SuSE SUSE Linux Enterprise Desktop 10 SP1
• SuSE SUSE Linux Enterprise SDK 10.SP1
• SuSE SUSE Linux Enterprise Server 10 SP1
• X.org xfs 1.0.4

References

• BugTraq: 25898
• CVE: CVE-2007-4568