lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <968-1621426968.243226@HQ5l.Xhwc.SHnZ>
Date: Wed, 19 May 2021 12:22:48 +0000
From: Roman Fiedler <roman.fiedler@...aralleled.eu>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2021-31535 libX11 Insufficient Length Checks PoC and
	Archeology

Hello list,

A missing length check in libX11 causes data from LookupColor
requests mess up the client-server communication protocol and
inject malicious X server requests. The flaw is comparable to
SQLi injecting commands into database connections granting an
attacker access to all features of the connection protocol.

Even with the flaw being embedded in the C-API/library, it can
be easily demonstrated with a simple PoC run in xterm [1]. On
most terminals the PoC will only produce a nice, blue background
while with appropriate libX11 and xterm the same PoC disables
X server authorization, thus allowing any program to connect
to the X server and take over the screen session. For details
on exploitation see [2].


The flaw is also interesting in two more ways:

1) for xterm the flaw can be easily detected using fuzzing. So
I assume that a) nobody else fuzzed xterm yet, even being that
old (less likely) or b) that the flaw was deemed a mere DoS
(interruption of X communication) but as it did not involve a
buffer overflow, was not seen exploitable or otherwise worth
reporting. Even I myself stumbled over it it already years ago
but then again forgot about it until doing some testing around
other recent rxvt/xterm flaws (CVE-2021-27135).

2) from archeological perspective it would have been interesting
to prove and not only assume, since when the bug was really exploitable.
At least the code seems to date back quite some time to 1986.
But even not from distant past, finding sufficient online resources
from that era to revive an ancient system and run an X environment
was not yet possible. If it happens that someone still has access
to full system backups of an X server system of that time I would
be happy to try to turn this into an emulator image and test
the exploit.

[1] https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/enjoy-all-the-colors.py
[2] https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ