Bug 1174910 (CVE-2020-14361)

Summary: VUL-0: CVE-2020-14361: xorg-x11-server: XkbSelectEvents Integer Underflow Privilege Escalation Vulnerability (ZDI-CAN-11573)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: junguo.wang, sndirsch, tiwai, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/264775/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-14361:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ZDI-CAN-11573.zip

Description Alexandros Toptsoglou 2020-08-05 12:08:38 UTC
Created attachment 840360 [details]
ZDI-CAN-11573.zip

ZDI-CAN-11573: X.Org Server XkbSelectEvents Integer Underflow Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.4
* Installer file:debian-10.4.0-amd64-xfce-CD-1.iso
* Platform tested:-

---

### Analysis
```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

integer underflow exist in xserver, SProcXkbSelectEvents()
https://github.com/freedesktop/xorg-xserver/blob/master/xkb/xkbSwap.c#L79
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run a root) and RCE for ssh x11 forwarding environmnet
```
~~~C++
static int _X_COLD
SProcXkbSelectEvents(ClientPtr client)
{
...
        dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);// stuff->length can be 0, then underflow
...
        for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
...
            }
            if (dataLeft < (size * 2))// check is useless here
                return BadLength;
            if (size == 2) {
                swaps(&from.c16[0]);// OOB write memory
                swaps(&from.c16[1]);
            }
            else if (size == 4) {
                swapl(&from.c32[0]);
                swapl(&from.c32[1]);
            }
            else {
                size = 2;
            }
            from.c8 += (size * 2);
            dataLeft -= (size * 2);
        }
...
}
~~~

debug log
```
(gdb) b *0x461F5+0x55d950871000
Breakpoint 1 at 0x55d9508b71f5
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055d9508b71f5 in SProcXkbDispatch ()
(gdb) x/i $pc
=> 0x55d9508b71f5 <SProcXkbDispatch+376>:lea    esi,[rdx*4-0x10]
(gdb) i r $rdx
rdx            0x0                 0
(gdb) si
0x000055d9508b71fc in SProcXkbDispatch ()
(gdb) i r $esi
esi            0xfffffff0          -16// integer underflow
(gdb) bt
#0  0x000055d9508b71fc in SProcXkbDispatch ()
#1  0x000055d9508cb96e in ?? ()
#2  0x000055d9508cf916 in ?? ()
#3  0x00007f3b4cb0509b in __libc_start_main (main=0x55d9508b9640, argc=10, argv=0x7ffe55de4648, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe55de4638) at ../csu/libc-start.c:308
#4  0x000055d9508b967a in _start ()
(gdb) x/10i $pc-0x12
   0x55d9508b71ea <SProcXkbDispatch+365>:lea    r10,[rax+0x10]
   0x55d9508b71ee <SProcXkbDispatch+369>:and    r8d,0xfffd
   0x55d9508b71f5 <SProcXkbDispatch+376>:lea    esi,[rdx*4-0x10]
=> 0x55d9508b71fc <SProcXkbDispatch+383>:xor    ecx,ecx
   0x55d9508b71fe <SProcXkbDispatch+385>:mov    edx,0x1
   0x55d9508b7203 <SProcXkbDispatch+390>:mov    ebx,0x1
   0x55d9508b7208 <SProcXkbDispatch+395>:test   r8d,r8d
   0x55d9508b720b <SProcXkbDispatch+398>:je     0x55d9508b72eb <SProcXkbDispatch+622>
   0x55d9508b7211 <SProcXkbDispatch+404>:test   edx,r8d
   0x55d9508b7214 <SProcXkbDispatch+407>:je     0x55d9508b72e2 <SProcXkbDispatch+613>
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
312../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
#1  0x00007f3b4ba7db42 in fbBlt () from /usr/lib/xorg/modules/libfb.so
#2  0x00007f3b4ba7e8a6 in fbBltStip () from /usr/lib/xorg/modules/libfb.so
#3  0x00007f3b4ba82d30 in fbGetImage () from /usr/lib/xorg/modules/libfb.so
#4  0x000055d950a16bb0 in ?? ()
#5  0x000055d950953acb in ?? ()
#6  0x000055d9508c8819 in ?? ()
#7  0x000055d9508cb96e in ?? ()
#8  0x000055d9508cf916 in ?? ()
#9  0x00007f3b4cb0509b in __libc_start_main (main=0x55d9508b9640, argc=10, argv=0x7ffe55de4648, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe55de4638) at ../csu/libc-start.c:308
#10 0x000055d9508b967a in _start ()
(gdb)
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
Comment 7 Stefan Dirsch 2020-08-25 15:33:23 UTC
Date: Tue, 25 Aug 2020 17:24:05 +0200
From: Matthieu Herrb <matthieu@herrb.eu>
To: xorg-announce@lists.x.org
Subject: X.Org server security advisory: August 25, 2020

Multiple input validation failures in X server extensions
=========================================================

All theses issuses  can lead to local privileges elevation
on systems where the X server is running privileged.

* CVE-2020-14345 / ZDI CAN 11428 XkbSetNames Out-Of-Bounds Access

The handler for the XkbSetNames request does not validate the request
length before accessing its contents.

* CVE-2020-14346 / ZDI CAN 11429 XIChangeHierarchy Integer Underflow

An integer underflow exists in the handler for the XIChangeHierarchy
request.

* CVE-2020-14361 / ZDI CAN 11573 XkbSelectEvents Integer Underflow

An integer underflow exist in the handler for the XkbSelectEvents
request.

* CVE-2020-1436 / ZDI CAN 11574 XRecordRegisterClients Integer Underflow

An integer underflow exist in the handler for the CreateRegister
request of the X record extension.

Patches
-------

Patches for this issues have been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include these patches.

https://gitlab.freedesktop.org/xorg/xserver.git

commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1

    Correct bounds checking in XkbSetNames()

    CVE-2020-14345 / ZDI 11428

commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e

    Fix XIChangeHierarchy() integer underflow

    CVE-2020-14346 / ZDI-CAN-11429

commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8

    Fix XkbSelectEvents() integer underflow

    CVE-2020-14361 ZDI-CAN 11573

commit 24acad216aa0fc2ac451c67b2b86db057a032050

    Fix XRecordRegisterClients() Integer underflow

    CVE-2020-14362 ZDI-CAN-11574

Thanks
======

These vulnerabilities have beend discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.


--
Matthieu Herrb
Comment 8 OBSbugzilla Bot 2020-08-25 16:50:17 UTC
This is an autogenerated message for OBS integration:
This bug (1174910) was mentioned in
https://build.opensuse.org/request/show/829591 Factory / xorg-x11-server
Comment 11 Stefan Dirsch 2020-08-25 20:25:04 UTC
Packages are submitted (factory/TW, sle15-sp2, sle15-sp1, sle15, sle12-sp5, sle12-sp4, sle12-sp2, sle11-sp3, sle11-sp1). Reassigning back to security team.
Comment 13 jun wang 2020-08-31 09:26:38 UTC
I am testing xorg-x11-server SUSE:Maintenance:16219:225259 for sle 15 sp2, but there is a question: please check this link https://openqa.suse.de/tests/4590832#step/update_install/136, the previous version is 1.20.3-22.5.1, it is higher than the version (1.20.3-21.9.1) in this update.

so is there wrong something about the version of xorg-x11-server?
Comment 14 Stefan Dirsch 2020-08-31 09:35:05 UTC
No idea. Something for maintenance team. Latest changelog entry for sle15-sp2 should be

-------------------------------------------------------------------
Tue Aug 25 18:33:20 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>

- U_0003-Fix-XkbSelectEvents-integer-underflow.patch
  * Fix XkbSelectEvents() integer underflow
    [CVE-2020-14361 / ZDI-CAN 11573, boo#1174910]
- U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch
  * Fix XRecordRegisterClients() Integer underflow
    [CVE-2020-14362 / ZDI-CAN-11574, boo#1174913]
Comment 15 Swamp Workflow Management 2020-09-01 10:17:06 UTC
SUSE-SU-2020:2399-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.11.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.11.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.11.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-09-01 10:18:16 UTC
SUSE-SU-2020:2398-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.19.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.19.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.19.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-09-01 10:19:32 UTC
SUSE-SU-2020:2401-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-09-01 10:20:40 UTC
SUSE-SU-2020:14475-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.29.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.29.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.29.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-09-01 13:18:27 UTC
SUSE-SU-2020:2407-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.12.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-09-02 16:16:01 UTC
SUSE-SU-2020:2452-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2020-09-03 19:27:19 UTC
SUSE-SU-2020:2481-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.5.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.5.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-09-07 13:27:01 UTC
openSUSE-SU-2020:1374-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.6.1
Comment 24 Swamp Workflow Management 2020-09-07 13:27:53 UTC
openSUSE-SU-2020:1376-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.6.1
Comment 25 Marcus Meissner 2020-10-03 07:00:16 UTC
released