Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Exploits/DFX11details.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
274 lines (264 sloc)
5.07 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I have found an integer overflow and a double free vulnerability in the way LibX11 handles locales. | |
| The integer overflow is a necessary precursor to the double free. | |
| The integer overflow occurs in this for loop, as length can be incremented to a negative value with sufficiently large font set names. | |
| https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2010 | |
| Because length is a signed int, it wraps, which then causes the call to malloc() to fail here: | |
| https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2025 | |
| Which leads to Xfree(required_list) | |
| https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2027 | |
| Note that required_list and om->core.required_charset.charset_list are equivalent. | |
| https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2018 | |
| Now because init_om returned false, we "goto err" here: | |
| https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L2071 | |
| Then in close_om() we call Xfree for a second time on the same region of memory: | |
| https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/master/modules/om/generic/omGeneric.c#L1678 | |
| So now the same object is freed twice, once as required_list, and a second time as om->core.required_charset.charset_list. | |
| To generate the locale here is a small shell script (which requires plenty of RAM and a bit of patience, | |
| so don't run it unless you absolutely need to verify the realisability of the vulnerability). | |
| https://github.com/Ruia-ruia/Exploits/blob/master/x11doublefree.sh | |
| The PoC generates enough fontsets, with large enough names, to increment the length variable in init_om to a negative value. | |
| I have tested on Ubuntu 20.04, with Glibc 2.31 installed. | |
| To trigger the vulnerability, simply run the script and call XOpenOM() in your own application. | |
| Incomplete list of otentially vulnerable packages which use X11: | |
| aalib | |
| aeolus | |
| albert | |
| ambix | |
| ardour | |
| artyfx | |
| at-spi2-atk | |
| avldrums.lv2 | |
| barrier-headless | |
| bchoppr | |
| blackbox | |
| bsequencer | |
| bshapr | |
| bslizr | |
| byuu | |
| carla | |
| clipnotify | |
| clxclient | |
| code | |
| dolphin-emu | |
| dragonfly-reverb | |
| drumgizmo | |
| dzen2 | |
| element | |
| emptyepsilon | |
| ffmpeg | |
| fillets-ng | |
| finch | |
| fltk | |
| fltk-examples | |
| freerdp | |
| freetype2-demos | |
| freewheeling | |
| fs-uae | |
| gala | |
| gdk-pixbuf2 | |
| geonkick | |
| giada | |
| gifsicle | |
| glew1.10 | |
| golang-deepin-lib | |
| gst-plugins-bad-libs | |
| guitarix | |
| gxplugins.lv2 | |
| haskell-x11 | |
| haskell-x11 (staging) | |
| helm-synth | |
| higan | |
| iempluginsuite | |
| java11-openjfx | |
| java11-openjfx (testing) | |
| java8-openjfx | |
| java-openjfx | |
| jgmenu | |
| juce | |
| jwm | |
| kitty | |
| kvantum-qt5 | |
| lib32-libx11 | |
| libretro-dolphin | |
| libspnav | |
| libva | |
| libva1 | |
| libva-mesa-driver | |
| libva-vdpau-driver | |
| libvdpau-va-gl | |
| libwmf | |
| libxext | |
| libxfixes | |
| libxkbfile | |
| libxrender | |
| libxt | |
| lightdm | |
| light-locker | |
| lirc | |
| lmms | |
| lmms (testing) | |
| lsp-plugins | |
| lsw | |
| lxqt-session | |
| maim | |
| megaglest | |
| mephisto.lv2 | |
| mesa-vdpau | |
| midi_matrix.lv2 | |
| mixxx | |
| moony.lv2 | |
| mplayer | |
| mumble | |
| ninjas2 | |
| non-sequencer | |
| ntk | |
| pantheon-videos | |
| pari | |
| pasystray | |
| patchmatrix | |
| plank | |
| profanity-gtk | |
| qtcurve-utils | |
| screengrab | |
| screenkey | |
| sdl | |
| sdl2 | |
| setbfree | |
| sfizz | |
| sfml | |
| sherlock.lv2 | |
| simplescreenrecorder | |
| slop | |
| smplayer | |
| snes9x | |
| snes9x-gtk | |
| sonic-visualiser | |
| spectmorph | |
| spring | |
| stalonetray | |
| startup-notification | |
| supercollider | |
| surge | |
| tilix | |
| ucblogo | |
| unclutter | |
| vdpauinfo | |
| virtualbox | |
| virtualbox-guest-utils | |
| vulkan-intel | |
| vulkan-radeon | |
| vulkan-validation-layers | |
| wallutils | |
| weston | |
| wmname | |
| x42-plugins | |
| xbindkeys | |
| xloadimage | |
| xmonk.lv2 | |
| xorg-oclock | |
| xorg-x11perf | |
| xorg-xclipboard | |
| xorg-xclock | |
| xorg-xcmsdb | |
| xorg-xconsole | |
| xorg-xcursorgen | |
| xorg-xdpyinfo | |
| xorg-xdriinfo | |
| xorg-xedit | |
| xorg-xev | |
| xorg-xeyes | |
| xorg-xfontsel | |
| xorg-xgamma | |
| xorg-xhost | |
| xorg-xinit | |
| xorg-xinput | |
| xorg-xkbutils | |
| xorg-xkill | |
| xorg-xload | |
| xorg-xlogo | |
| xorg-xlsfonts | |
| xorg-xmag | |
| xorg-xmodmap | |
| xorg-xpr | |
| xorg-xprop | |
| xorg-xrandr | |
| xorg-xrdb | |
| xorg-xrefresh | |
| xorg-xsetroot | |
| xorg-xvidtune | |
| xorg-xvinfo | |
| xorg-xwud | |
| xplot | |
| xsel | |
| xsettings-client | |
| xsettingsd | |
| xtrlock | |
| zam-plugins | |
| zvbi | |
| csound (optional) | |
| csound (testing) (optional) | |
| deadbeef (optional) | |
| libquicktime (optional) | |
| links (optional) | |
| mtools (optional) | |
| suil (optional) | |
| deadbeef (make) | |
| displaycal (make) | |
| fltk (make) | |
| freetype2 (make) | |
| i810-dri (make) | |
| intel-media-sdk (make) | |
| java11-openjfx (make) | |
| java11-openjfx (testing) (make) | |
| java11-openjfx-doc (make) | |
| java11-openjfx-doc (testing) (make) | |
| java11-openjfx-src (make) | |
| java11-openjfx-src (testing) (make) | |
| java8-openjfx (make) | |
| java-openjfx (make) | |
| jdk11-openjdk (make) | |
| jdk-openjdk (make) | |
| java11-openjdk (make) | |
| java-openjdk (make) | |
| libglvnd (make) | |
| liblightdm-qt5 (make) | |
| libmfx (make) | |
| libopenshot-audio (make) | |
| libquicktime (make) | |
| libstroke (make) | |
| libva-mesa-driver (make) | |
| lightdm (make) | |
| lirc (make) | |
| mach64-dri (make) | |
| mc (make) | |
| mencoder (make) | |
| mesa (make) | |
| mga-dri (make) | |
| mplayer (make) | |
| mtools (make) | |
| opencl-mesa (make) | |
| java11-openjdk (make) | |
| java-openjdk (make) | |
| osmid (make) | |
| profanity (make) | |
| r128-dri (make) | |
| raylib (make) | |
| retroarch (make) | |
| mesa-dri1 (make) | |
| snes9x (make) | |
| mesa-dri1 (make) | |
| vulkan-extra-layers (make) | |
| vulkan-icd-loader (make) | |
| mesa (make) | |
| vulkan-tools (make) | |
| vulkan-trace (make) | |
| vulkan-validation-layers (make) | |
| xcb-util-xrm (make) | |
| xf86-input-libinput (make) | |
| xf86-input-synaptics (make) | |
| xf86-video-intel (make) | |
| xorg-server (make) | |
| xorg-xwininfo (make) | |
| networkmanager (check) | |
| openscad (check) | |
| vala (check) |