| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 May 2021 12:22:48 +0000 From: Roman Fiedler <roman.fiedler@...aralleled.eu> To: fulldisclosure@...lists.org Subject: [FD] CVE-2021-31535 libX11 Insufficient Length Checks PoC and Archeology Hello list, A missing length check in libX11 causes data from LookupColor requests mess up the client-server communication protocol and inject malicious X server requests. The flaw is comparable to SQLi injecting commands into database connections granting an attacker access to all features of the connection protocol. Even with the flaw being embedded in the C-API/library, it can be easily demonstrated with a simple PoC run in xterm [1]. On most terminals the PoC will only produce a nice, blue background while with appropriate libX11 and xterm the same PoC disables X server authorization, thus allowing any program to connect to the X server and take over the screen session. For details on exploitation see [2]. The flaw is also interesting in two more ways: 1) for xterm the flaw can be easily detected using fuzzing. So I assume that a) nobody else fuzzed xterm yet, even being that old (less likely) or b) that the flaw was deemed a mere DoS (interruption of X communication) but as it did not involve a buffer overflow, was not seen exploitable or otherwise worth reporting. Even I myself stumbled over it it already years ago but then again forgot about it until doing some testing around other recent rxvt/xterm flaws (CVE-2021-27135). 2) from archeological perspective it would have been interesting to prove and not only assume, since when the bug was really exploitable. At least the code seems to date back quite some time to 1986. But even not from distant past, finding sufficient online resources from that era to revive an ancient system and run an X environment was not yet possible. If it happens that someone still has access to full system backups of an X server system of that time I would be happy to try to turn this into an emulator image and test the exploit. [1] https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/enjoy-all-the-colors.py [2] https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists