[Detailed analysis] X Windows's 22-year Vulnerability

X WindowsThe system, as a Linux Desktop around the world, has existed for more than 20 years and still has bugs. A few days ago, Sysadmins provided patches for the libXfont library to address the newly discovered 22-year Privilege Escalation Vulnerability in the Code. The patch was released before the annoying exploit. This vulnerability can cause a person logging on to a vulnerable machine to crash X service, or execute the entered code to become a Super User.
At the chaotic Communication Conference (Started in 1984, sponsored by the German Chaos Computer Club, Europe's largest organization of the black guest alliance. This conference focuses on computer and network security, aiming to promote computer and network security. In the beginning, hackers who love computers often participate in the Conference, which has subsequently attracted scientists, security experts, and computer enthusiasts.In a presentation, hundreds of vulnerabilities were discovered (the e-mail discussed on X.org is here: http://lists.x.org/archives/xorg-devel/2013-December/039773.html), and the latest vulnerability was the stack overflow vulnerability in text, it can be traced back to 1991. This Bug still exists in all versions of X11.
This vulnerability is simple and affects shared computers, but this article only wants to analyze how this series of security problems occur.
Announcement from X.org: "a bdf font file contains a string that exceeds the expected length, leading to site overflow. Test the X service that has created stack protection. When users read The cleverly designed fonts provided by users, the service will crash immediately ." (:Http://lists.x.org/archives/xorg-announce/2014-January/002389.html)
The problem is that the bdfReadCharacters () function in the following code (Source code pathHttp://cgit.freedesktop.org/xorg/lib/libXfont/tree/src/bitmap/bdfread.c)

</p>
 
If you have never seen this bug, I will explain it in detail. Fonts on the screen can be saved in GBD format (Glyph Bitmap Distribution). For more information, see this document (http://partners.adobe.com/public/developer/en/font/5005.BDF_Spec.pdf). The saved content format is in the format of STARTCHAR 2.1 + font content. (For more information, see the code in the 1305 lines.)

</p>
If the loaded font contains a short version number, it is normal to load it as a string, for example, the version number "2.1" in this article ". In the code, this information is copied to the charName character array by calling the function sscanf in dbfread. c. (See the 1302-1308 lines of code in the preceding figure.). The problem is that the sscanf function does not limit the length of the string that reads the version number. This function copies the data in the file consistently until it encounters a space character. (:Http://www.cplusplus.com/reference/cstdio/sscanf/
Http://www.cplusplus.com/reference/cctype/isspace/)
Character array charName is defined as a string of only 100 bytes, therefore, when a BDF font contains a string starting with "STARTCHAR" and its version number exceeds the length of the character array, the data is placed in other data areas of the stack. This means that attackers can overwrite the memory and control the command pointer of the processor to exit the bdfReadCharacters function to effectively hijack the program.
Because the X service is usually run with the superuser permission, if the attack succeeds, normal user permissions can be controlled by executing code. For more information about how to trigger stack overflow when the current system has a protection mechanism, see the following two articles.
Http://www.exploit-db.com/papers/24085/
Http://crypto.stanford.edu /~ Blynn/rop/
It is very easy to fix the vulnerability, as shown in. The data length is specified to 99 bytes, And the 100th bytes are used to save NULL.
 

</p>
Statement from X.org:
In all X Services released by X.org, libXfont is used to read user-specified font files, including Xorg services. It is usually run with root permissions, or run with the setuid-root permission to facilitate hardware access. This vulnerability may cause a common user to have the root permission in some systems.
At the July chaotic Communications Conference, Ilja van Sprundel said he would dig 120 vulnerabilities within two months. Van Sprundel said: "I haven't found so many yet." Van Sprunde caused a large number of security updates on X.org in March, including dozens of vulnerabilities to be fixed, because the client library believes that the data sent by the server is valid, Integrity testing is not performed. (:Http://lists.x.org/archives/xorg-devel/2013-May/036276.html) The latest vulnerability was discovered through cppcheck static analysis tools, named CVE-2013-6462, and security updates should be effective in all package management. (For more information about cppcheck, seeHttp://cppcheck.sourceforge.net/)
[Theregister By fubeerf]