Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 09 Dec 2014 08:04:35 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
CC: Ilja Van Sprundel <ivansprundel@...ctive.com>
Subject: Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues
 in X servers




-------- Original Message --------
Subject: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X servers
Date: Tue, 9 Dec 2014 08:00:35 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
Reply-To: xorg@...ts.freedesktop.org, xorg-devel@...ts.x.org
To: xorg-announce@...ts.x.org
CC: xorg@...ts.x.org, xorg-devel@...ts.x.org,        Ilja Van Sprundel 
<ivansprundel@...ctive.com>

X.Org Security Advisory:  Dec. 9, 2014
Protocol handling issues in X Window System servers
===================================================

Description:
============

Ilja van Sprundel, a security researcher with IOActive, has discovered
a large number of issues in the way the X server code base handles
requests from X clients, and has worked with X.Org's security team to
analyze, confirm, and fix these issues.

Ilja's talk at the 30th Chaos Communication Congress (30C3) in Hamburg
last year ("X Security: it's worse than it looks") gave a preview of these
issues and discussed the general form of many of these, but did not disclose
the exact details of them.

The vulnerabilities could be exploited to cause the X server to
access uninitialized memory or overwrite arbitrary memory in the X
server process.  This can cause a denial of service (e.g., an X server
segmentation fault), or could be exploited to achieve arbitrary code
execution.

How critical these vulnerabilities are to any given installation depends
on whether they run an X server with root privileges or reduced privileges;
whether they run X servers exposed to network clients or limited to local
connections; and whether or not they allow use of the affected protocol
extensions, especially the GLX extension.

The GLX extension to the X Window System allows an X client to send X
protocol to the X server, to request that the X server perform OpenGL
rendering on behalf of the X client.  This is known as "GLX indirect
rendering", as opposed to "GLX direct rendering" where the X client
submits OpenGL rendering commands directly to the GPU, bypassing the
X server and avoiding the X server code for GLX protocol handling.

Most GLX indirect rendering implementations share some common ancestry,
dating back to "Sample Implementation" code from Silicon Graphics, Inc
(SGI), which SGI originally commercially licensed to other Unix workstation
and graphics vendors, and later released as open source, so those
vulnerabilities may affect other licensees of SGI's code base beyond
those running code from the X.Org Foundation or the XFree86 Project.

The vulnerabilities include:

- denial of service due to unchecked malloc in client authentication

     CVE-2014-8091: In servers built with support for SUN-DES-1 (Secure RPC)
     authentication credentials, an unauthenticated client may be able to
     crash the X server by sending a connection request specifying values
     that cause malloc to fail, causing the authentication routines to
     attempt to write data to the returned NULL pointer.  Since the request
     is limited to an unsigned 16-bit integer for the allocation size, it is
     unlikely to fail unless the server is severely memory constrained.

     Introduced in the initial revision of Secure RPC support in X11R5 (1991).

- integer overflows calculating memory needs for requests

     These calls do not check that their calculations for how much memory
     is needed to handle the client's request have not overflowed, so can
     result in out of bounds reads or writes.  These calls all occur only
     after a client has successfully authenticated itself.

     * CVE-2014-8092: X11 core protocol requests
       Affected functions: ProcPutImage(), GetHosts(), RegionSizeof(),
        REQUEST_FIXED_SIZE()

       Introduced in X11R1 (1987).

     * CVE-2014-8093: GLX extension
       Affected functions: __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(),
        __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(),
        GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(),
        GetMinmax(), GetColorTable(), __glXGetAnswerBuffer(),
        __GLX_GET_ANSWER_BUFFER(), __glXMap1dReqSize(), __glXMap1fReqSize(),
        Map2Size(), __glXMap2dReqSize(), __glXMap2fReqSize(),
        __glXImageSize(), __glXSeparableFilter2DReqSize()

       Originally developed by SGI and licensed to multiple vendors
        prior to SGI open sourcing the code in 1999.
       Included in XFree86 releases starting in XFree86 4.0 (2000).
       Included in X.Org releases starting in X11R6.7 (2004).

     * CVE-2014-8094: DRI2 extension
       Affected functions: ProcDRI2GetBuffers()

       Introduced in xorg-server-1.7.0 (2009).

- out of bounds access due to not validating length or offset values in requests

     These calls do not check that the lengths and/or indexes sent by the
     client are within the bounds specified by the caller or the bounds of
     the memory allocated to hold the request read from the client, so could
     read or write past the bounds of allocated memory while processing the
     request. These calls all occur only after a client has successfully
     authenticated itself.

     * CVE-2014-8095: XInput extension
       Affected functions: SProcXChangeDeviceControl(),
        ProcXChangeDeviceControl(), ProcXChangeFeedbackControl(),
        ProcXSendExtensionEvent(), SProcXIAllowEvents(), SProcXIChangeCursor(),
        ProcXIChangeHierarchy(), SProcXIGetClientPointer(), SProcXIGrabDevice(),
        SProcXIUngrabDevice(), ProcXIUngrabDevice(), SProcXIPassiveGrabDevice(),
        ProcXIPassiveGrabDevice(), SProcXIPassiveUngrabDevice(),
        ProcXIPassiveUngrabDevice(), SProcXListDeviceProperties(),
        SProcXDeleteDeviceProperty(), SProcXIListProperties(),
        SProcXIDeleteProperty(), SProcXIGetProperty(), SProcXIQueryDevice(),
        SProcXIQueryPointer(), SProcXISelectEvents(), SProcXISetClientPointer(),
        SProcXISetFocus(), SProcXIGetFocus(), SProcXIWarpPointer()

       Introduced in X11R4 (1989).

     * CVE-2014-8096: XC-MISC extension
       Affected functions: SProcXCMiscGetXIDList()

       Introduced in X11R6.0 (1994).

     * CVE-2014-8097: DBE extension
       Affected functions: ProcDbeSwapBuffers(), SProcDbeSwapBuffers()

       Introduced in X11R6.1 (1996).

     * CVE-2014-8098: GLX extension
       Affected functions: __glXDisp_Render(), __glXDisp_RenderLarge(),
        __glXDispSwap_VendorPrivate(), __glXDispSwap_VendorPrivateWithReply(),
        set_client_info(), __glXDispSwap_SetClientInfoARB(), DoSwapInterval(),
        DoGetProgramString(), DoGetString(), __glXDispSwap_RenderMode(),
        __glXDisp_GetCompressedTexImage(), __glXDispSwap_GetCompressedTexImage(),
        __glXDisp_FeedbackBuffer(), __glXDispSwap_FeedbackBuffer(),
        __glXDisp_SelectBuffer(), __glXDispSwap_SelectBuffer(),
        __glXDisp_Flush(), __glXDispSwap_Flush(),
        __glXDisp_Finish(), __glXDispSwap_Finish(),
        __glXDisp_ReadPixels(), __glXDispSwap_ReadPixels(),
        __glXDisp_GetTexImage(), __glXDispSwap_GetTexImage(),
        __glXDisp_GetPolygonStipple(), __glXDispSwap_GetPolygonStipple(),
        __glXDisp_GetSeparableFilter(), __glXDisp_GetSeparableFilterEXT(),
        __glXDisp_GetConvolutionFilter(), __glXDisp_GetConvolutionFilterEXT(),
        __glXDisp_GetHistogram(), __glXDisp_GetHistogramEXT(),
        __glXDisp_GetMinmax(), __glXDisp_GetMinmaxEXT(),
        __glXDisp_GetColorTable(), __glXDisp_GetColorTableSGI(),
        GetSeparableFilter(), GetConvolutionFilter(), GetHistogram(),
        GetMinmax(), GetColorTable()

       Originally developed by SGI and licensed to multiple vendors
        prior to SGI open sourcing the code in 1999.
       Included in XFree86 releases starting in XFree86 4.0 (2000).
       Included in X.Org releases starting in X11R6.7 (2004).

     * CVE-2014-8099: XVideo extension
       Affected functions: SProcXvQueryExtension(), SProcXvQueryAdaptors(),
        SProcXvQueryEncodings(), SProcXvGrabPort(), SProcXvUngrabPort(),
        SProcXvPutVideo(), SProcXvPutStill(), SProcXvGetVideo(),
        SProcXvGetStill(), SProcXvPutImage(), SProcXvShmPutImage(),
        SProcXvSelectVideoNotify(), SProcXvSelectPortNotify(),
        SProcXvStopVideo(), SProcXvSetPortAttribute(),
        SProcXvGetPortAttribute(), SProcXvQueryBestSize(),
        SProcXvQueryPortAttributes(), SProcXvQueryImageAttributes(),
        SProcXvListImageFormats()

       Introduced in XFree86 4.0.0 (2000).
       Included in X.Org releases starting in X11R6.7 (2004).

     * CVE-2014-8100: Render extension
       Affected functions: ProcRenderQueryVersion(), SProcRenderQueryVersion(),
        SProcRenderQueryPictFormats(), SProcRenderQueryPictIndexValues(),
        SProcRenderCreatePicture(), SProcRenderChangePicture(),
        SProcRenderSetPictureClipRectangles(), SProcRenderFreePicture(),
        SProcRenderComposite(), SProcRenderScale(), SProcRenderCreateGlyphSet(),
        SProcRenderReferenceGlyphSet(), SProcRenderFreeGlyphSet(),
        SProcRenderFreeGlyphs(), SProcRenderCompositeGlyphs()

       Introduced in XFree86 4.0.1 (2000).
       Included in X.Org releases starting in X11R6.7 (2004).

     * CVE-2014-8101: RandR extension
       Affected functions: SProcRRQueryVersion(), SProcRRGetScreenInfo(),
        SProcRRSelectInput(), SProcRRConfigureOutputProperty()

       Introduced in XFree86 4.2.0 (2002).
       Included in X.Org releases starting in X11R6.7 (2004).

     * CVE-2014-8102: XFixes extension
       Affected functions: SProcXFixesSelectSelectionInput()

       Introduced in X11R6.8.0 (2004).

     * CVE-2014-8103: DRI3 & Present extensions
       Affected functions: sproc_dri3_query_version(), sproc_dri3_open(),
        sproc_dri3_pixmap_from_buffer(), sproc_dri3_buffer_from_pixmap(),
        sproc_dri3_fence_from_fd(), sproc_dri3_fd_from_fence(),
        proc_present_query_capabilities(), sproc_present_query_version(),
        sproc_present_pixmap(), sproc_present_notify_msc(),
        sproc_present_select_input(), sproc_present_query_capabilities()

       Introduced in xorg-server-1.15.0 (2013).


Affected Versions
=================

X.Org believes all versions of the affected functions contain these
flaws, dating back to their introduction.   In the above listings,
we've listed the earliest date of any of the affected functions in
a given protocol or area - some functions listed may not have been
introduced until later versions.

Fixes
=====

Fixes are available in git commits and patches which will be listed
on http://www.x.org/wiki/Development/Security/Advisory-2014-12-09
when this advisory is released.

Fixes are also planned to be included in the xorg-server-1.17.0 and
xorg-server-1.16.3 releases

Other providers of Xserver or GLX implementations based on the same
code base (the X Consortium or X.Org Foundation X sources, or the
SGI GLX sources) will announce the availability of any fixes necessary
for their implementations.

Mitigation
==========

While the fixes cover all the cases currently known to X.Org, these are
not the first issues in this area and are unlikely to be the last.

Users can reduce their exposure to issues similar to the ones in this
advisory via these methods:

     * Configure the X server to prohibit X connections from the network
       by passing the "-nolisten tcp" command line option to the X server.
       Many OS distributions already set this option by default, and it
       will be set by default in the upstream X.Org release starting with
       Xorg 1.17.

     * Disable GLX indirect contexts.  Some implementations have a
       configuration option for this.  In Xorg 1.16 or newer, this can
       be achieved by setting the '-iglx' X server command line option.
       This option will be the default in Xorg 1.17 and later releases.

Consult your operating system's documentation for details on setting X
server command line options, as X servers are started by a variety of
different methods on different platforms (startx, gdm, kdm, xdm, etc.).

Thanks
======

X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our
security team and assisting them in understanding them and evaluating our
fixes, and the following X.Org contributors for developing and reviewing
the fixes, tests, and advisory for these issues, and coordinating the
X.Org response to them:

       Adam Jackson (Red Hat)
       Alan Coopersmith (Oracle)
       Andy Ritger (NVIDIA)
       Julien Cristau (Debian)
       Keith Packard (Intel)
       Michal Srb (SuSE)
       Peter Hutterer (Red Hat)
       Robert Morell (NVIDIA)

-- 
	-Alan Coopersmith-              alan.coopersmith@...cle.com
	  X.Org Security Response Team - xorg-security@...ts.x.org




Download attachment "Attached Message Part" of type "application/pgp-signature" (833 bytes)

View attachment "Attached Message Part" of type "text/plain" (151 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.