Slashdot Mirror

← Back to Stories (view on slashdot.org)

23-Year-Old X11 Server Security Vulnerability Discovered

Posted by Unknown on from the stack-smashing-for-fun-and-profit dept.

An anonymous reader writes "The recent report of X11/X.Org security in bad shape rings more truth today. The X.Org Foundation announced today that they've found a X11 security issue that dates back to 1991. The issue is a possible stack buffer overflow that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5. After the vulnerability being in the code-base for 23 years, it was finally uncovered via the automated cppcheck static analysis utility." There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.

15 of 213 comments (clear)

  1. Many eyes... by Anonymous Coward · · Score: 5, Insightful

    ...looking elsewhere.

    1. Re:Many eyes... by grub · · Score: 4, Insightful

      "Many eyes" is bogus, "the right eyes" is more appropriate.

      --
      Trolling is a art,
    2. Re:Many eyes... by Bacon+Bits · · Score: 5, Funny

      With enough Perl, all eyes are bleeding.

      --
      The road to tyranny has always been paved with claims of necessity.
    3. Re:Many eyes... by NoNonAlphaCharsHere · · Score: 4, Funny

      With enough Perl, all eyes are bleeding.

      Let's see if that's true:

      print "$#_ [@_]\n\n";

      GAAAAAAAHHHHH!!!!!
      OK, point taken.

    4. Re:Many eyes... by hawkinspeter · · Score: 4, Insightful

      I'd recommend running the same tool (cppcheck) on the Windows source code before trying to be ironic.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    5. Re:Many eyes... by garyebickford · · Score: 4, Informative

      Actually it was shown back in the late 1970s that it is essentially impossible for 'black box' testing to discover more than about 30% of the bugs in a sufficiently large code base. It's based on the NP-complete problem of following all possible variations of the branches using all possible combinations of input, both valid and invalid. It's fairly easy to build a one page program that can not effectively be completely tested. It was also shown that, given good programming practice, roughly 70% of the bugs are built into the design (before a line of code has been written). Then, finally, a significant number/percentage of bugs are of the sort where it's a judgement call whether it's a bug or a feature.

      Source: I used to run a Software Quality Assurance Workshop for my then-company, and did the research. A few programming practices have changed, and the repertoire of automated tools has greatly increased in both quantity and sophistication, but average program size and the list of asynchronous externalities has ballooned by two or three orders of magnitude, so there we are.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
    6. Re:Many eyes... by i+kan+reed · · Score: 4, Insightful

      It should include bogus fonts with randomized data to test for crashes, data validation, and the like, yes.

  2. Dangerous function by jones_supa · · Score: 4, Informative

    There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.

    And watch out for scanf(). There's a reason Microsoft brought scanf_s() and others, which the official C11 standard adopted later too.

  3. Re:Privilege escalation is to the server credentia by i+kan+reed · · Score: 4, Insightful

    Root isn't the only kind of vulnerability. Seizing control of peoples' UIs is a pretty big deal(especially as far as phishing or keylogging goes).

  4. Re:The usual clueless submission... by NoNonAlphaCharsHere · · Score: 4, Interesting

    Granted, there aren't a lot of people going to scurry off and "carefully craft" a font in an obsolete format for a new 0-day 'sploit. Actually, it's the "23-years old" and "discovered by a (new) automated test" parts that are interesting. Possibly even slashworthy.

  5. Re:Privilege escalation is to the server credentia by 10101001+10101001 · · Score: 5, Informative

    Did you actually even bother checking this? No, most modern X11 servers run as root so they can* have hardware access to GLX and DRM. But, please tell me, which distro or OS do you run that runs your X11 server as non-root? Because I'd love to use a system like that.

    *Technically, privilege separation is quite possible on these points, which has been done in OpenBSD AFAIK, but very few people use OpenBSD and I think the whole point of your post was about what the vast majority of people use. Otherwise, you're just quibbling over the point without stating it that most people don't run a "modern" X11 server.

    --
    Eurohacker European paranoia, gun rights, and h
  6. Re:scary by buchner.johannes · · Score: 5, Insightful

    Given that you need to be using obsolete 90s bitmap fonts for this to be an issue, and that X11/X.org is never run as root, I'm not sure that "scary" is the word for this (there's a reason it hasn't come up before in the 23 years since it was introduced).

    Correct in principle, except for two remarks:

    • X runs as root, and has always. Just like getty.
    • If you craft a new bitmap font, running "xset fp+" as a user has the potential to gain you root privileges.

    So yes, not "scary". Just a critical security bug.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  7. Re:The usual clueless submission... by peppepz · · Score: 5, Informative

    Those fonts are read by fontconfig and freetype, while the bug is in the server-side font support, the one where you must run mkfontdir and possibly edit Xorg.conf to install new fonts. I don't think any distribution allows non-root users to do that.

  8. Go ahead, just TRY a buffer overflow on my VAX by thomasdz · · Score: 4, Funny

    I'm running OpenBSD on my VAX. Go ahead. Try to exploit a buffer overflow on my home VAX cluster. If you can, then you deserve a prize because you've learned VAX machine code.

    --
    Karma: Excellent. 15 moderator points expire sometime.
  9. Re:scary by PPH · · Score: 5, Insightful

    Right. And this is why its so important to have the source code available. Some argue, "Who actually looks at this stuff?" Well, here's an example of someone who did. Not in the classical sense of some aspie code geek reading it by hand. But just feed it to some automated tools and see what pops out.

    --
    Have gnu, will travel.