Announcement

Collapse
No announcement yet.

22-year-old X Windows bug Gets root with newly uncovered flaw

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 22-year-old X Windows bug Gets root with newly uncovered flaw

    ------------------------
    Last edited by Ice Tea; 07-11-16, 10:16.

  • #2
    Hahaha excellent.

    Good work on the guys for spotting it though

    Comment


    • #3
      Yeah, not many multi-user X-windows workstations about though really, so not a big deal for most people. Unix systems doing 'real work' generally don't run X anyway. Pretty classic buffer overflow example, so glad I don't have to use C any more.

      Comment


      • #4
        Originally posted by andyn View Post
        Yeah, not many multi-user X-windows workstations about though really, so not a big deal for most people. Unix systems doing 'real work' generally don't run X anyway. Pretty classic buffer overflow example, so glad I don't have to use C any more.
        Plenty of people run Linux desktops these days (and then you have stuff like those who run XBMC on their Raspberry Pi, etc).

        My biggest worry is whether this vulnerability can be exploited via custom web fonts.

        Comment


        • #5
          Originally posted by cold fusion View Post
          My biggest worry is whether this vulnerability can be exploited via custom web fonts.
          Good question, but in general I doubt it, as the fonts in those cases would be rendered by the browser software (chromium, firefox) rather than using native X code, and the BDF Format (basically the ancient precursor to PDF) is essentially obsolete and won't even be supported by browsers. Maybe in an X system using a super clunky old web-browser.

          Obviously any kind of exploit which can dump a file into your system wherever the fonts are stored could use this to escalate to root privs, which is the risk, but this vulnerability on it's own shouldn't grant access to anyone who doesn't already have access.

          Then again, never say never, only way to be sure is to make sure you get it patched .

          Comment


          • #6
            Originally posted by andyn View Post
            Good question, but in general I doubt it, as the fonts in those cases would be rendered by the browser software (chromium, firefox) rather than using native X code, and the BDF Format (basically the ancient precursor to PDF) is essentially obsolete and won't even be supported by browsers. Maybe in an X system using a super clunky old web-browser.
            And how do you think these browsers render their fonts? They often just call the OS-level font APIs. I can't comment about Linux browsers specifically but all OS X browsers use the same Cocoa font libraries. And it's not just fonts that call OS-level APIs; embedded images will call libpng (et al), zlib is used for delated/gzipped HTTP responses and WebGL used to (though this may not be the case any longer) used to hook more or less directly into the graphics card drivers (which is why WebGL was marked unstable and insecure on Linux for such a long time)

            Browsers do a lot of sandboxing with their JS compilers, but there's also a lot of trust placed with external libraries.

            Originally posted by andyn View Post
            Obviously any kind of exploit which can dump a file into your system wherever the fonts are stored could use this to escalate to root privs, which is the risk, but this vulnerability on it's own shouldn't grant access to anyone who doesn't already have access.
            The key issue is whether this exploit can be used to execute remote code. The TrueType and OpenType font format has a region of executable bytecode (much like a how Java binaries are executable bytecode), which means if this buffer overflow vulnerability affects either of those two font types and allows for data to then be dumped into the bytecode interpreter, you might be able to exploit this to install malware on the desktop (this isn't as far fetched as it sounds either as an old iOS jailbreak hack exploited a vulnerability with iOS's bytecode interpreter in it's TTF font library)

            Originally posted by andyn View Post
            Then again, never say never, only way to be sure is to make sure you get it patched .
            Indeed.
            Last edited by cold fusion; 09-01-14, 13:59.

            Comment


            • #7
              In fact you can see the amount of external libraries that are called just by checking the browsers binaries. eg here's what Firefox calls on my workstation:
              Code:
              $ ldd /usr/lib/firefox/browser/components/libbrowsercomps.so 
                      linux-vdso.so.1 (0x00007fffc8518000)
                      libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f05e2ef5000)
                      libxul.so => /usr/lib/firefox/libxul.so (0x00007f05df8d9000)
                      libmozalloc.so => /usr/lib/firefox/libmozalloc.so (0x00007f05df8d5000)
                      libnspr4.so => /usr/lib/firefox/libnspr4.so (0x00007f05df697000)
                      libgdk-x11-2.0.so.0 => /usr/lib/libgdk-x11-2.0.so.0 (0x00007f05df3e4000)
                      libgdk_pixbuf-2.0.so.0 => /usr/lib/libgdk_pixbuf-2.0.so.0 (0x00007f05df1c0000)
                      libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0x00007f05def6e000)
                      libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0x00007f05dec6e000)
                      libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f05de96a000)
                      libc.so.6 => /usr/lib/libc.so.6 (0x00007f05de5be000)
                      /usr/lib64/ld-linux-x86-64.so.2 (0x00007f05e316e000)
                      libsmime3.so => /usr/lib/firefox/libsmime3.so (0x00007f05de397000)
                      libssl3.so => /usr/lib/firefox/libssl3.so (0x00007f05de163000)
                      libnss3.so => /usr/lib/firefox/libnss3.so (0x00007f05dde58000)
                      libnssutil3.so => /usr/lib/firefox/libnssutil3.so (0x00007f05ddc31000)
                      libXrender.so.1 => /usr/lib/libXrender.so.1 (0x00007f05dda27000)
                      libmozsqlite3.so => /usr/lib/firefox/libmozsqlite3.so (0x00007f05dd942000)
                      libpixman-1.so.0 => /usr/lib/libpixman-1.so.0 (0x00007f05dd697000)
                      libasound.so.2 => /usr/lib/libasound.so.2 (0x00007f05dd3a0000)
                      libplc4.so => /usr/lib/firefox/libplc4.so (0x00007f05dd19a000)
                      libplds4.so => /usr/lib/firefox/libplds4.so (0x00007f05dcf95000)
                      libdbus-glib-1.so.2 => /usr/lib/libdbus-glib-1.so.2 (0x00007f05dcd6e000)
                      libdbus-1.so.3 => /usr/lib/libdbus-1.so.3 (0x00007f05dcb26000)
                      libgtk-x11-2.0.so.0 => /usr/lib/libgtk-x11-2.0.so.0 (0x00007f05dc4f3000)
                      libatk-1.0.so.0 => /usr/lib/libatk-1.0.so.0 (0x00007f05dc2d0000)
                      libgio-2.0.so.0 => /usr/lib/libgio-2.0.so.0 (0x00007f05dbf6d000)
                      libfontconfig.so.1 => /usr/lib/libfontconfig.so.1 (0x00007f05dbd32000)
                      libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00007f05dba92000)
                      libpango-1.0.so.0 => /usr/lib/libpango-1.0.so.0 (0x00007f05db846000)
                      libcairo.so.2 => /usr/lib/libcairo.so.2 (0x00007f05db529000)
                      libstartup-notification-1.so.0 => /usr/lib/libstartup-notification-1.so.0 (0x00007f05db31f000)
                      libX11.so.6 => /usr/lib/libX11.so.6 (0x00007f05dafe3000)
                      libXext.so.6 => /usr/lib/libXext.so.6 (0x00007f05dadd1000)
                      libXt.so.6 => /usr/lib/libXt.so.6 (0x00007f05dab6a000)
                      libgthread-2.0.so.0 => /usr/lib/libgthread-2.0.so.0 (0x00007f05da967000)
                      libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f05da763000)
                      librt.so.1 => /usr/lib/librt.so.1 (0x00007f05da55b000)
                      libm.so.6 => /usr/lib/libm.so.6 (0x00007f05da257000)
                      libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f05da041000)
                      libpangocairo-1.0.so.0 => /usr/lib/libpangocairo-1.0.so.0 (0x00007f05d9e33000)
                      libXinerama.so.1 => /usr/lib/libXinerama.so.1 (0x00007f05d9c30000)
                      libXi.so.6 => /usr/lib/libXi.so.6 (0x00007f05d9a20000)
                      libXrandr.so.2 => /usr/lib/libXrandr.so.2 (0x00007f05d9815000)
                      libXcursor.so.1 => /usr/lib/libXcursor.so.1 (0x00007f05d960a000)
                      libXcomposite.so.1 => /usr/lib/libXcomposite.so.1 (0x00007f05d9407000)
                      libXdamage.so.1 => /usr/lib/libXdamage.so.1 (0x00007f05d9203000)
                      libXfixes.so.3 => /usr/lib/libXfixes.so.3 (0x00007f05d8ffd000)
                      libgmodule-2.0.so.0 => /usr/lib/libgmodule-2.0.so.0 (0x00007f05d8df9000)
                      libpng16.so.16 => /usr/lib/libpng16.so.16 (0x00007f05d8bc3000)
                      libpcre.so.1 => /usr/lib/libpcre.so.1 (0x00007f05d895d000)
                      libffi.so.6 => /usr/lib/libffi.so.6 (0x00007f05d8755000)
                      libpangoft2-1.0.so.0 => /usr/lib/libpangoft2-1.0.so.0 (0x00007f05d853f000)
                      libz.so.1 => /usr/lib/libz.so.1 (0x00007f05d8329000)
                      libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f05d8111000)
                      libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f05d7ee7000)
                      libbz2.so.1.0 => /usr/lib/libbz2.so.1.0 (0x00007f05d7cd7000)
                      libEGL.so.1 => /usr/lib/libEGL.so.1 (0x00007f05d7ab4000)
                      libxcb-shm.so.0 => /usr/lib/libxcb-shm.so.0 (0x00007f05d78b1000)
                      libxcb-render.so.0 => /usr/lib/libxcb-render.so.0 (0x00007f05d76a7000)
                      libxcb.so.1 => /usr/lib/libxcb.so.1 (0x00007f05d7487000)
                      libGL.so.1 => /usr/lib/libGL.so.1 (0x00007f05d7229000)
                      libxcb-util.so.1 => /usr/lib/libxcb-util.so.1 (0x00007f05d7024000)
                      libX11-xcb.so.1 => /usr/lib/libX11-xcb.so.1 (0x00007f05d6e21000)
                      libSM.so.6 => /usr/lib/libSM.so.6 (0x00007f05d6c19000)
                      libICE.so.6 => /usr/lib/libICE.so.6 (0x00007f05d69fd000)
                      libharfbuzz.so.0 => /usr/lib/libharfbuzz.so.0 (0x00007f05d67a8000)
                      libxcb-dri2.so.0 => /usr/lib/libxcb-dri2.so.0 (0x00007f05d65a3000)
                      libxcb-xfixes.so.0 => /usr/lib/libxcb-xfixes.so.0 (0x00007f05d639b000)
                      libxcb-shape.so.0 => /usr/lib/libxcb-shape.so.0 (0x00007f05d6197000)
                      libgbm.so.1 => /usr/lib/libgbm.so.1 (0x00007f05d5f90000)
                      libwayland-client.so.0 => /usr/lib/libwayland-client.so.0 (0x00007f05d5d82000)
                      libwayland-server.so.0 => /usr/lib/libwayland-server.so.0 (0x00007f05d5b72000)
                      libglapi.so.0 => /usr/lib/libglapi.so.0 (0x00007f05d594c000)
                      libudev.so.1 => /usr/lib/libudev.so.1 (0x00007f05d5739000)
                      libdrm.so.2 => /usr/lib/libdrm.so.2 (0x00007f05d552d000)
                      libXau.so.6 => /usr/lib/libXau.so.6 (0x00007f05d5329000)
                      libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x00007f05d5122000)
                      libxcb-glx.so.0 => /usr/lib/libxcb-glx.so.0 (0x00007f05d4f0a000)
                      libXxf86vm.so.1 => /usr/lib/libXxf86vm.so.1 (0x00007f05d4d04000)
                      libuuid.so.1 => /usr/lib/libuuid.so.1 (0x00007f05d4afe000)
                      libgraphite2.so.3 => /usr/lib/libgraphite2.so.3 (0x00007f05d48e0000)
              Thankfully there's no libXfont; but that's just Firefox, Chrome might be different.

              Comment


              • #8
                Thankfully there's no libXfont; but that's just Firefox, Chrome might be different.
                Pretty sure it's not. Which is exactly what I said above .

                Comment


                • #9
                  Originally posted by andyn View Post
                  Pretty sure it's not. Which is exactly what I said above .
                  What you said above was that Chrom(e|ium) would be rendering the fonts; it wouldn't. Even if it's not using libXfont, it would be calling something like libfreetype. So either way, it's not going to have it's own font engine. So the real question is which font rendering engine are your browsers using?

                  [edit]
                  With regards to Chromium on ArchLinux, the answer is libfreetype. In fact, in retrospect, I'd probably expect most browsers to be using libfreetype considering the type of data modern browsers have to draw (since FreeType paints to bitmap rather than X). But this is a good reminder that modern web browsers have a whole boat load of dependencies which can have their own vulnerabilities (just like the vulnerability we saw in Windows JPEG DLLs about a decade ago and thus was exploited over the web via browsers)
                  Last edited by cold fusion; 09-01-14, 14:49.

                  Comment


                  • #10
                    Yeah I'm aware that software has dependencies, I am a programmer after all . However my main point was that browsers aren't going to be using the ancient janky old xwindows font rendering code anyway, so this particular issue is unlikely to affect web fonts.

                    Comment


                    • #11
                      Originally posted by andyn View Post
                      Yeah I'm aware that software has dependencies, I am a programmer after all . However my main point was that browsers aren't going to be using the ancient janky old xwindows font rendering code anyway, so this particular issue is unlikely to affect web fonts.
                      Ahhh right. I get you now
                      Going by the dependencies of FF and Chromium, it certainly looks as if you're right

                      Comment

                      Working...
                      X