23-Year-Old X11 Server Security Vulnerability Discovered

← Back to Stories (view on slashdot.org)

23-Year-Old X11 Server Security Vulnerability Discovered

Posted by Unknown on Wednesday January 8, 2014 @03:11AM from the stack-smashing-for-fun-and-profit dept.

An anonymous reader writes "The recent report of X11/X.Org security in bad shape rings more truth today. The X.Org Foundation announced today that they've found a X11 security issue that dates back to 1991. The issue is a possible stack buffer overflow that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5. After the vulnerability being in the code-base for 23 years, it was finally uncovered via the automated cppcheck static analysis utility." There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.

34 of 213 comments (clear)

Min score:

Reason:

Sort:

Many eyes... by Anonymous Coward · 2014-01-08 03:17 · Score: 5, Insightful

...looking elsewhere.
1. Re:Many eyes... by i+kan+reed · 2014-01-08 03:18 · Score: 2, Insightful
  
  The real trick of the "With enough eyes all bugs are shallow" is that the function for "enough eyes" is exponential with respect to lines of code, and open source projects don't actually hit it.
2. Re:Many eyes... by i+kan+reed · 2014-01-08 03:27 · Score: 2
  
  "no project don't actually hit it"
  I think I've found a bug in your perlscript.
3. Re:Many eyes... by grub · 2014-01-08 03:28 · Score: 4, Insightful
  
  "Many eyes" is bogus, "the right eyes" is more appropriate.
  
  --
  Trolling is a art,
4. Re:Many eyes... by Bacon+Bits · 2014-01-08 03:30 · Score: 5, Funny
  
  With enough Perl, all eyes are bleeding.
  
  --
  The road to tyranny has always been paved with claims of necessity.
5. Re:Many eyes... by NoNonAlphaCharsHere · 2014-01-08 03:36 · Score: 4, Funny
  
  With enough Perl, all eyes are bleeding.
  
  Let's see if that's true:
  
  print "$#_ [@_]\n\n";
  
  GAAAAAAAHHHHH!!!!!
  OK, point taken.
6. Re:Many eyes... by hawkinspeter · 2014-01-08 03:57 · Score: 4, Insightful
  
  I'd recommend running the same tool (cppcheck) on the Windows source code before trying to be ironic.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
7. Re:Many eyes... by hairyfeet · 2014-01-08 04:31 · Score: 2
  
  In reality "many eyes" is a myth because for "many eyes" to work you'd need 1.- Eyes willing to look at the ENTIRE code, since no code is used in a vacuum, 2.- those eyes have to have the years of experience in low level coding so as to be able to even spot the bug, and 3.- Those eyes have to be willing to do keep checking because new releases keep coming and with them new bugs.
  Anyone can do basic math and see how "many eyes" simply cannot work and I'd bet my last buck that if you looked at the logs you'd find the majority of code? Not being looked at by anybody but the guys actually writing the thing. Being FOSS really only gives you ONE major advantage and that is that nobody can just pull the plug, if you need an old version? You can DIY or pay somebody to do it for you. But security wise? Nope, sorry, because OSes are some of the most complex software on the planet and even Torvalds can't tell you with 100% certainty what goes on and what is called when you launch a piece of software, its just too complex with too many interactions.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
8. Re:Many eyes... by garyebickford · 2014-01-08 04:51 · Score: 4, Informative
  
  Actually it was shown back in the late 1970s that it is essentially impossible for 'black box' testing to discover more than about 30% of the bugs in a sufficiently large code base. It's based on the NP-complete problem of following all possible variations of the branches using all possible combinations of input, both valid and invalid. It's fairly easy to build a one page program that can not effectively be completely tested. It was also shown that, given good programming practice, roughly 70% of the bugs are built into the design (before a line of code has been written). Then, finally, a significant number/percentage of bugs are of the sort where it's a judgement call whether it's a bug or a feature.
  Source: I used to run a Software Quality Assurance Workshop for my then-company, and did the research. A few programming practices have changed, and the repertoire of automated tools has greatly increased in both quantity and sophistication, but average program size and the list of asynchronous externalities has ballooned by two or three orders of magnitude, so there we are.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
9. Re:Many eyes... by NotQuiteReal · 2014-01-08 04:57 · Score: 2
  
  "Good" test data is often an issue... in this case, I am sure your test suite includes some "carefully crafted fonts", right?
  
  --
  This issue is a bit more complicated than you think.
10. Re:Many eyes... by garyebickford · 2014-01-08 05:00 · Score: 2
  
  Is this still true? IANA windows person, but I was under the impression that the newer versions of the OS had more and better compartmentalism and enforcement of user space.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
11. Re:Many eyes... by i+kan+reed · 2014-01-08 05:09 · Score: 4, Insightful
  
  It should include bogus fonts with randomized data to test for crashes, data validation, and the like, yes.
12. Re:Many eyes... by ewibble · 2014-01-08 05:16 · Score: 2
  
  Many eyes does work, so much in that it helps a bit, same with static analysis it helps but not perfect and just because you have run your tool over your code does not mean you are safe.
  FLOSS give you the following:
  1. an independent programmer may have looked at it.
  2. nobody can pull the plug.
  3. If it doesn't do what you want you can add it. My favorite.
  4. When a bug does occur they don't generally try to hide the fact.
  FLOSS is no way a guarantee of adequate code, any idiot can write start a project, but from what I have see of closed source code, that is definitely no better.
  E.g. utility function to move a file:
  char buff[256];
  sprintf(buff, "mv %s %s", src, dst);
  system(buff);
  problems ,buffer overruns and moving the file "; rm -rf /" can be problematic. And its was not just a one off either.
  If you are looking for guarantees about code quality just because you are FLOSS you are going to be disappointed.
13. Re:Many eyes... by operagost · 2014-01-08 08:11 · Score: 2
  
  Your reference to a "PDC" and the conspicuous lack of a reference to Active Directory or the SAM (used on standalone servers) tells me your knowledge is a bit out of date... which would explain why your statement is incorrect. Privilege escalations are taken as seriously on Windows as on other modern operating systems. And the SAM has not been particularly vulnerable since encryption (NT 4.0), and the ability to remove LM hashes (present since NT 3.1, default in Vista and 2008) were added. We're not L0PHTcrackin' like it's 1999 anymore.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
14. Re:Many eyes... by garyebickford · 2014-01-08 08:21 · Score: 2
  
  Yes. I've basically argued that C should not be used for application programming in general - device drivers, kernels, maybe some other high performance OS tasks, and the occasional small high performance functions in larger programs.
  I can further argue that the extent to which even those domains need to be in a low-level language like C at present is really a testament to the limitations of compilers - IMHO it is high time to apply AI and machine learning techniques to compiler design and code translation. Watson could do some interesting things with language processing and a good knowledge base. In some cases the top-level symbolic program design could go right to custom silicon.
  It's significant that the 'infamous' APL, a very highly abstracted mostly-functional interpreted language that looks at everything pretty much as arrays, was often as faster at doing things like matrix inversions faster than most compiled implementations in other languages. This is because the interpreter did almost no work, and the underlying code for a given function could be tuned to the very restricted domain that it was operating in, in the assembly language. I believe there was even a microcoded APL interpreter, which would basically make an APL virtual machine.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
The usual clueless submission... by Anonymous Coward · 2014-01-08 03:20 · Score: 3, Interesting

When was the last time you installed a "specially crafted" bdf font from anywhere?
There are *much* worse actual security problems than this one, which in practice, wasn't much of a problem in its day several decades ago, and isn't a problem now...
What's good is that the tools keep improving, and exposing problems...
I sure wish Slashdot's editors would actually apply their brains to submissions, rather than cluttering up slashdot with things that aren't important; there will be security reports that actually matter for people to pay attention to....
1. Re:The usual clueless submission... by NoNonAlphaCharsHere · 2014-01-08 03:26 · Score: 4, Interesting
  
  Granted, there aren't a lot of people going to scurry off and "carefully craft" a font in an obsolete format for a new 0-day 'sploit. Actually, it's the "23-years old" and "discovered by a (new) automated test" parts that are interesting. Possibly even slashworthy.
2. Re:The usual clueless submission... by peppepz · 2014-01-08 03:47 · Score: 5, Informative
  
  Those fonts are read by fontconfig and freetype, while the bug is in the server-side font support, the one where you must run mkfontdir and possibly edit Xorg.conf to install new fonts. I don't think any distribution allows non-root users to do that.
Dangerous function by jones_supa · 2014-01-08 03:24 · Score: 4, Informative

There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.
And watch out for scanf(). There's a reason Microsoft brought scanf_s() and others, which the official C11 standard adopted later too.
1. Re:Dangerous function by Viol8 · 2014-01-08 05:00 · Score: 2
  
  The scanf() suit of functions are pretty horrid regardless of security issues. They never do quite what you expect and have endless little quirks that frankly are just a PITA. 99% of the time its a lot easier to roll your own parsing code than get *scanf() kicking and screaming to do what you want , and with C++ you have streams anyway. Its a pity they weren't just put of their (our?) misery years ago and dumped from the C standard altogether.
Re:Privilege escalation is to the server credentia by i+kan+reed · 2014-01-08 03:24 · Score: 4, Insightful

Root isn't the only kind of vulnerability. Seizing control of peoples' UIs is a pretty big deal(especially as far as phishing or keylogging goes).
Re:scary by Anonymous Coward · 2014-01-08 03:29 · Score: 3, Insightful

Given that you need to be using obsolete 90s bitmap fonts for this to be an issue, and that X11/X.org is never run as root, I'm not sure that "scary" is the word for this (there's a reason it hasn't come up before in the 23 years since it was introduced).
Nonetheless, I'll be upgrading my X.org package just for thoroughness.
Re:Privilege escalation is to the server credentia by 10101001+10101001 · 2014-01-08 03:37 · Score: 5, Informative

Did you actually even bother checking this? No, most modern X11 servers run as root so they can* have hardware access to GLX and DRM. But, please tell me, which distro or OS do you run that runs your X11 server as non-root? Because I'd love to use a system like that.
*Technically, privilege separation is quite possible on these points, which has been done in OpenBSD AFAIK, but very few people use OpenBSD and I think the whole point of your post was about what the vast majority of people use. Otherwise, you're just quibbling over the point without stating it that most people don't run a "modern" X11 server.

--
Eurohacker European paranoia, gun rights, and h
Re:Privilege escalation is to the server credentia by ajdlinux · 2014-01-08 03:39 · Score: 3, Informative

My Debian unstable installation would beg to differ.
$ ps aux [...] root 24768 6.1 0.4 183832 34716 tty7 Ss+ Jan08 14:15 /usr/bin/X :0 vt7 -br -nolisten tcp -auth /var/run/xauth/A:0-86aX4a
Re:scary by Bill,+Shooter+of+Bul · 2014-01-08 03:39 · Score: 2

Not amazed at all. Tools are much better at detecting these kinds of bugs than humans, with out limited stack space. And as time goes on, we build better tools. I'm not really surprised at all that humans aren't spending their time poring over the intricacies of an old font loading section.
Especially not surprised that people aren't looking for local privileged escalation vulnerabilities.
Also not surprised as X's security model has been known to be flawed for years.
http://it.slashdot.org/story/13/12/31/2127243/x11xorg-security-in-bad-shape

--
Well.. maybe. Or Maybe not. But Definitely not sort of.
Re:scary by buchner.johannes · 2014-01-08 03:43 · Score: 5, Insightful
Given that you need to be using obsolete 90s bitmap fonts for this to be an issue, and that X11/X.org is never run as root, I'm not sure that "scary" is the word for this (there's a reason it hasn't come up before in the 23 years since it was introduced).
Correct in principle, except for two remarks:
- X runs as root, and has always. Just like getty.
- If you craft a new bitmap font, running "xset fp+" as a user has the potential to gain you root privileges.
So yes, not "scary". Just a critical security bug.
--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Go ahead, just TRY a buffer overflow on my VAX by thomasdz · 2014-01-08 03:51 · Score: 4, Funny

I'm running OpenBSD on my VAX. Go ahead. Try to exploit a buffer overflow on my home VAX cluster. If you can, then you deserve a prize because you've learned VAX machine code.

--
Karma: Excellent. 15 moderator points expire sometime.
1. Re:Go ahead, just TRY a buffer overflow on my VAX by Burz · 2014-01-08 04:17 · Score: 3, Funny
  
  I'm tempted but the carbon footprint of the resulting 0wnage would probably be too great.
2. Re:Go ahead, just TRY a buffer overflow on my VAX by danomac · 2014-01-08 06:03 · Score: 3, Funny
  
  Just buy some carbon credits and you'll be back in the green.
Re:scary by PPH · 2014-01-08 04:09 · Score: 5, Insightful

Right. And this is why its so important to have the source code available. Some argue, "Who actually looks at this stuff?" Well, here's an example of someone who did. Not in the classical sense of some aspie code geek reading it by hand. But just feed it to some automated tools and see what pops out.

--
Have gnu, will travel.
Re:Privilege escalation is to the server credentia by drinkypoo · 2014-01-08 04:12 · Score: 3, Informative

Did you actually bother to check on multiple platforms? It's only on FreeBSD that the X server runs on root
drink@alexander:~$ cat /etc/issue Ubuntu 13.10 \n \l
drink@alexander:~$ ps auxw | grep X root 1267 2.3 1.1 348276 96612 tty7 Ss+ Jan05 105:36 /usr/bin/X -core :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
hmm.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Perhaps it's just that I'm ignorant... by TheLink · 2014-01-08 04:15 · Score: 2

And I've long seen that as a stupid design- mixing addresses and data in the same stack. You don't have to do that.
It's funny how Intel/AMD make CPUs with billions of transistors and yet we are still mixing data and program addresses on the same stack.
If you have separate stacks for parameters/data and return addresses, the attacker could clobber other data with data, but the program would still be running its intended code instead of arbitrary code of the attacker's choice - so it's more likely to throw errors or crash rather than get trivially pwned.
Keeping separate stacks might even help with CPU performance - when you know that one stack always contains return addresses it could be easier to do optimization tricks - prefetching, cache prioritizing etc.
Of course you will still be able to exploit certain programs by overflowing and overwriting other parameters - for example a program ends up seeing "OK" in a parameter instead of "NO" and so it does something differently. But hackers won't be able the other common stuff they do nowadays.
--
- Too many replies beneath your current threshold
Re:Qubes OS unlikely to be affected by Burz · 2014-01-08 04:35 · Score: 2

Incorrect. An exploited Qubes X11 has control over only the apps and data assigned to the exploited Xen domain; it would remain blocked from any baremetal administrative functions.
An exploited baremetal Linux/X11 has control over user I/O for everything done by the exploited user, so they are SOL as soon as they try to perform a system-wide admin function.
Keeping sensitive data under different user accounts would provide virtually no protection for threat models that apply to typical desktops.
Re:Privilege escalation is to the server credentia by armanox · 2014-01-08 05:02 · Score: 3, Informative

Really? A quick look at Solaris11, Scientific Linux, and Fedora all say root. If I had my IRIX box up and running I'd bet it would say root too (granted, it's XSGI, not XOrg, so this probably doesn't apply). My HP-UX and AIX boxes don't appear to be running any form of X
From SL 6.4:
[armanox@dionysus ~]$ cat /etc/issue
Scientific Linux release 6.4 (Carbon)
Kernel \r on an \m
[armanox@dionysus ~]$ ps auxw | grep X
root 2413 1.1 0.8 150984 34360 tty1 Ss+ 04:05 8:04 /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-Ms7KTS/database -nolisten tcp vt1
armanox 14804 0.0 0.0 103252 848 pts/2 S+ 15:52 0:00 grep X
[armanox@dionysus ~]$ ps -ef | grep X
root 2413 2410 1 04:05 tty1 00:08:04 /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-Ms7KTS/database -nolisten tcp vt1
armanox 14825 14767 0 15:53 pts/2 00:00:00 grep X
[armanox@dionysus ~]$
and Fedora 18:
[armanox@hecate ~]$ cat /etc/issue
Fedora release 18 (Spherical Cow)
Kernel \r on an \m (\l)
[armanox@hecate ~]$ ps -ef | grep X
root 596 1 0 00:13 ? 00:00:00 /usr/bin/abrt-watch-log -F Backtrace /var/log/Xorg.0.log -- /usr/bin/abrt-dump-xorg -xD
root 935 797 0 00:13 tty1 00:00:18 /usr/bin/Xorg :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-nsglUa/database -seat seat0 -nolisten tcp vt1
armanox 25526 1866 0 11:54 pts/1 00:00:00 grep --color=auto X
[armanox@hecate ~]$
Solaris on Sparc:
Last login: Mon Jan 6 17:28:37 2014 from lab-files-001.l
Oracle Corporation SunOS 5.11 11.0 November 2011
admin@solarisvmsrv1:~$ ps -ef | grep X
root 1308 1303 0 Nov 06 vt/7 102:15 /usr/bin/Xorg :0 -nolisten tcp -br -novtswitch -auth /tmp/gdm-auth-cookies-pEay
admin 41176 41171 0 11:35:42 pts/1 0:00 grep X
admin@solarisvmsrv1:~$

--
I'm starting to think GNU is the problem with "GNU/Linux" these days.