-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2004.0116 -- iDEFENSE Security Advisory 02.10.04
               XFree86 Font Information File Buffer Overflow
                             11 February 2004

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                XFree86
Publisher:              iDEFENSE
Operating System:       UNIX
                        Linux
                        Mac OS X
                        OS/2
Impact:                 Root Compromise
Access Required:        Existing Account
CVE Names:              CAN-2004-0083

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 02.10.04

XFree86 Font Information File Buffer Overflow
http://www.idefense.com/application/poi/display?id=72
February 10, 2004

I. BACKGROUND

In short, XFree86 is an open source X11-based desktop infrastructure.

XFree86, provides a client/server interface between display hardware 
(the mouse, keyboard, and video displays) and the desktop environment 
while also providing both the windowing infrastructure and a 
standardized application interface (API). XFree86 is platform 
independent, network-transparent and extensible.

II. DESCRIPTION

Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86 
X Window System allows local attackers to gain root privileges.

The problem specifically exists in the parsing of the 'font.alias' file.
The X server (running as root) fails to check the length of user 
provided input. A malicious user may craft a malformed 'font.alias' 
file causing a buffer overflow upon parsing, eventually leading to the 
execution of arbitrary code.

- - - - From XFree86-4.2.1/xc/lib/font/fontfile/dirfile.c: 

ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
{
 char alias[MAXFONTNAMELEN]; 

The above code sets up the buffer that will be exploited directly in 
front of the frame pointer and return address. 

    while (status == Successful) {
       token = lexAlias(file, &lexToken); 

lexAlias() reads an arbitrary length token from file, and returns a 
pointer to it in &lexToken, without performing any bounds checking. 
It then returns NAME when it reaches whitespace. 

       switch (token) {
       case NAME:
         strcpy(alias, lexToken); 

If lexToken is longer than MAXFONTNAMELEN (1024 chars) an overflow 
occurs. 

To reproduce the overflow on the command line: 

# cat > fonts.dir <<EOF 
1
word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
EOF
# perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD 

{Some output removed} 

Caught signal 11.

Server aborting...

eip: 41414141 eflags: 00003282

{Some output removed} 

Code: Segmentation fault (core dumped)
# 

III. ANALYSIS

Successful exploitation requires that an attacker be able to execute 
commands in the X11 subsystem. This can be done either by having console
access to the target or through a remote exploit against any X client 
program such as a web-browser, mail-reader or game. Successful 
exploitation yields root access.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in XFree86 
versions 4.1.0 to the current version 4.3.0. It is suspected that 
earlier versions are vulnerable as well.

V. VENDOR RESPONSE

The patch for the problem is at 
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff and
it is applicable to all affected XFree86 versions.

The change log entry is:

   794. Fix font alias overrun.

See also http://www.xfree86.org/cvs/changes/ for changelog extracts for
the trunk and several branches.  The patch has been applied to the
trunk and all of the 4.x release branches.

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project 
has assigned CAN-2004-0083 to this issue.

VII. DISCLOSURE TIMELINE

January 9, 2004		Exploit acquired by iDEFENSE
February 3, 2004 	Vendor notified
February 3, 2004    Response received from David Dawes at XFree86.org
February 4, 2004	iDEFENSE clients notified
February 10, 2004    Public disclosure

VIII. CREDIT

Greg MacManus (iDEFENSE Labs) is credited with the discovery of this 
vulnerability.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCkyufrkky7kqW5PEQLonACfXr39VTFMM0siQ9qQG4ujRXKSTggAoLKi
gdS6+/EbfSpKM3TX1tzCsNfX
=F0Tw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQCmGeSh9+71yA2DNAQEWJAP/eJa5ApkpmdcxjyDtR/S3g9j8vnOAQbsY
+UuSozOI0CsqzCDGGLDFTaWOspsFWSEvh56+q6RDD7+sSyoHjjUBG+4Y9Nz06VPM
bMFzfsZy4fcsFqfXB+oNaoT8Sr21V1w8z3vK9CXpQzqtSlnkrpwMfFOJngVE39Jc
mZtA4NSSX+8=
=ST1m
-----END PGP SIGNATURE-----