X11: X.Org X Font Server QueryXBitmaps and QueryXExtents Handlers Integer Overflow

There exists multiple vulnerabilities in the way X.Org Font Server handles incoming QueryXExtents8, QueryXExtents16, QueryXBitmaps8 and QueryXBitmaps1 protocol requests. More specifically, the vulnerability is due to lack of proper validation on the NumberOfRanges field of the mentioned requests. By sending specially crafted requests, an unauthenticated remote attacker can leverage this flaw to execute arbitrary code on the target host with root or System level privileges. In an attack case where code injection is not successful, the affected service will terminate unexpectedly. This will create a denial of service condition of the affected service. In a more sophisticated attack where code injection results in successful process flow diverting, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the running process, normally System.

Extended Description

X.Org X Font Server (XFS) is prone to multiple memory-corruption vulnerabilities, including an integer-overflow issue and a heap-based memory-corruption issue. An attacker could exploit this issue to execute arbitrary code with the privileges of the X Font Server. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: These issues are exploitable remotely only on Solaris operating systems; by default the server is listening on TCP port 7100. For other UNIX-like operating systems, an attacker can exploit these issues only locally. These issues affect X Font Server 1.0.4; prior versions may also be affected.

Affected Products

Suse linux

References

BugTraq: 25898

CVE: CVE-2007-4568

Short Name
X11:XFS-QUERYX
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
X11
Keywords
CVE-2007-4568 Font Handlers Integer Overflow QueryXBitmaps QueryXExtents Server X X.Org and bid:25898
Release Date
10/15/2010
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3339
Port
TCP/7100
False Positive
Unknown
Vendors

Red_hat

Suse

Apple

Gentoo

Sun

Rpath

Avaya

X.org

Mandriva

Debian

Ibm

CVSS Score

6.8

Found a potential security threat?