Next Page >>
X Window System
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01543321
Version: 1
HPSBUX02381 SSRT080083 rev.1 - HP-UX Running Xserver, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-11-03
Last Updated: 2008-11-03
http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION
Local exploitation of multiple integer overflow vulnerabilities in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to execute arbitrary code with
the privileges of the X server, typically root.
One vulnerability exists within the EVI extension. When processing a
request, the server uses a 32-bit value provided by the client in an
http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION
Local exploitation of an information disclosure vulnerability in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to gain access to sensitive
information stored in server memory.
The vulnerable code exists within the TOG-CUP extension. A 32-bit client
supplied value is taken directly from the request, and then used as an
http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION
Local exploitation of multiple memory corruption vulnerabilities in the
X.Org X server, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
privileges of the X server, typically root.
Vulnerable code exists within multiple functions in the XInput
extension. By sending specially crafted X11 requests, an attacker is
http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION
Local exploitation of an invalid array index vulnerability in the X.Org
X server, as included in various vendors' operating system
distributions, could allow an attacker to execute arbitrary code with
the privileges of the X server, typically root.
The vulnerability exists within the XFree86-Misc extension. When
processing a request, a 32-bit value from the client's request is used
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: X.Org X Server: Multiple vulnerabilities
Date: October 22, 2011
Bugs: #387069
ID: 201110-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I. BACKGROUND
The X Window System is a graphical windowing system based on a
client/server model. The Render extension is used to provide
Porter-Duff image compositing for the X server. It is built into many X
servers by default, and loaded as a default module when it is not. For
more information, see the vendor's site found at the following link.
http://en.wikipedia.org/wiki/X_Window_System
CVE Name: CVE-2008-1000
*Vulnerability Description*
MacOS X Server 10.5 [1], also known as Leopard Server features a Wiki
Server [2], which is a multiuser web application written in Python. The
Wiki Server is vulnerable to a path traversal attack, which can be
exploited by non-privileged system users via a forged file upload to
write arbitrary files on locations in the server filesystem, restricted
only by privileges of the Wiki Server application.
http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION
Local exploitation of an information disclosure vulnerability in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to gain access to sensitive
information stored in server memory.
The vulnerability exists when creating a Pixmap in the fbShmPutImage()
function. The width and height of the Pixmap, which are controlled by
III. AFFECTED PRODUCTS
---------------------------
Apple Safari version 4.0.5 and prior
(Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server
v10.6.2 and later, Windows 7, Vista, XP SP2 and later, iPhone)
============
DragonFlyBSD 1.12.0 is the first BSD operating system to roll out a
solution to the IPv4 issue as part of the official version.
Apple MacOS X 10.5.2, MacOS X Server 10.5.2, Darwin 9.2
(all sharing the same kernel: xnu-1228.3.13)
=======================================================
Apple did NOT fix the predictable IP ID issue in its products
(in Leopard 10.5.2).
operating system, other versions may be also affected.
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
DETAILS
I. BACKGROUND
The X Window System is a graphical windowing system based on a
client/server model. The Render extension is used to provide
Porter-Duff image compositing for the X server. It is built into many X
servers by default and loaded as a default module when it is not. For
more information, see the vendor's site found at the following link.
http://en.wikipedia.org/wiki/X_Window_System
http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION
Local exploitation of multiple memory corruption vulnerabilities in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to execute arbitrary code with
the privileges of the X server, typically root.
Multiple vulnerabilities are present in the Record and Security
extensions. In both cases, untrusted values are taken from a client
Vendor: Apple Inc., http://www.apple.com
Affected Products: CoreServices Framework’s CarbonCore Framework
(Used by: i.e. Safari, Mail)
Affected Platforms:
Mac OS X v10.4.11
Mac OS X Server v10.4.11
Mac OS X v10.5.4
Mac OS X Server v10.5.4
Vulnerability: Arbitrary Code Execution (remote)
Risk: CRITICAL
________________________________________________________________________
data injection.
But it gets more interesting. Several other BSD operating systems
copied the OpenBSD code for their own IP ID PRNG, so they're
vulnerable too. This is particularly so with Apple's Mac OS X,
Mac OS X Server and Darwin, but also with NetBSD, FreeBSD and
DragonFlyBSD (the 3 latter O/S however only use this PRNG when
the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
default, resulting in a sequential counter to be used instead...).
OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
fragmentation ID normalization feature (e.g. "scrub out random-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: X.Org X server: Multiple vulnerabilities
Date: June 19, 2008
Bugs: #225419
ID: 200806-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dominic Chell of NGS Secure has discovered a High risk vulnerability in Mac OS X ImageIO. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Versions affected include:
Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.7, Mac OS X Server v10.6 through v10.6.7
Apple has released a patch that addresses the issue. The announcement of the patch can be found here:
http://support.apple.com/kb/HT4723
for this particular vulnerability would not work anymore.
( search for "CVE-2010-1752" here: http://support.apple.com/kb/ht4225 )
But, thanks to our proof of concepts (client-side attacks), it was not
only possible to abuse the iPhone devices, but also any current Mac OS X
( Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through
v10.6.4, Mac OS X Server v10.6 through v10.6.4 ).
Hopefully, this week, Apple released many interesting security patches
for Mac OS X, and one of them will allow Mac end users to avoid those
kind of client-side attacks and stack overflows against the CFNetwork
Hijacking Safari 4 Top Sites with Phish Bombs
II. VULNERABLE
-------------------------
Safari 4 all versions < 4.0.3
Platforms affected - Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X
v10.5.7, Mac OS X Server v10.5.7, Windows XP and Vista
III. BACKGROUND
-------------------------
Safari is a web browser developed by Apple Inc. It is the default browser in
I. BACKGROUND
The X Window System is a graphical windowing system based on a
client/server model. The Render extension is used to provide
Porter-Duff image compositing for the X server. It is built into many X
servers by default, and loaded as a default module when it is not. For
more information, see the vendor's site found at the following link.
http://en.wikipedia.org/wiki/X_Window_System
forks, and they're quite broken - extended attribute support introduces
a serious memory leak.
If that doesn't quite hit home, you can get a further idea of how their
software is written by taking a look at the man page for sharing(1), on
OS X Server (for those of you without access to OS X Server, take a
look at
http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html
). Pay particular attention to the description for the -s, -g, and -i
options - do their developers (or tech writers) know the difference
between AND and OR? :)
I. BACKGROUND
The X Window System (or X11) is a graphical windowing system used on
Unix-like systems. It is based on a client/server model. The X Window
System font server (xfs) is used to render fonts for the X server. More
information can be found at the following URLs.
http://en.wikipedia.org/wiki/X_Window_System
http://www.x.org/wiki/
Dominic Chell of NGS Secure has discovered a high risk memory corruption vulnerability affecting the ImageIO rendering framework. Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution. This issue can be remotely (client-side) exploited through any application using the framework including Mail, Safari and QuickLook.
Versions affected include:
Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
Apple has released a patch that addresses these issues. The announcement of
this patch can be found here:
http://support.apple.com/kb/HT1222
Debian-specific: no
CVE Id(s) : CVE-2008-2383
Debian Bug : 510030
Paul Szabo discovered that xterm, a terminal emulator for the X Window
System, places arbitrary characters into the input buffer when
displaying certain crafted escape sequences (CVE-2008-2383).
As an additional precaution, this security update also disables font
changing, user-defined keys, and X property changes through escape
sequences.
Exploitation of these vulnerabilities results in the execution of
arbitrary code with the privileges of the application using the
library. Since FreeType2 is a library and not a standalone application,
the exploitation vector will vary. iDefense Labs verified that local
privilege escalation was possible via the X.Org Xserver.
IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in
FreeType2 version 2.3.5. Previous versions may also be affected.
iDefense has confirmed the existence of this vulnerability in
OfficeFramework running on the following devices:
iPod Touch, IOS 3.1.3 iPad, IOS 3.2.1
Apple has confirmed Mac OS X and Mac OS X Server v10.6 through v10.6.4
to be vulnerable.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue. There
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the application using the library. Since
FreeType2 is a library and not a standalone application, the
exploitation vector will vary. iDefense Labs verified that local
privilege escalation was possible via the X.Org Xserver.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in FreeType2
version 2.3.5. Previous versions may also be affected.
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the application using the library. Since
FreeType2 is a library and not a standalone application, the
exploitation vector will vary. iDefense Labs verified that local
privilege escalation was possible via the X.Org Xserver.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in FreeType2
version 2.3.5. Previous versions may also be affected.
arbitrary commands execution.
Background
==========
xterm is a terminal emulator for the X Window system.
Affected packages
=================
-------------------------------------------------------------------
Next Page>>
|
