Bug 1174913 (CVE-2020-14362)

Summary: VUL-0: CVE-2020-14362: xorg-x11-server: XRecordRegisterClients Integer Underflow Privilege Escalation Vulnerability (ZDI 11574)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: sndirsch, tiwai, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/264777/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-14362:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ZDI-CAN-11574.zip

Description Alexandros Toptsoglou 2020-08-05 12:26:09 UTC 
Created attachment 840362 [details]
ZDI-CAN-11574.zip

ZDI-CAN-11574: X.Org Server XRecordRegisterClients Integer Underflow Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.4
* Installer file:debian-10.4.0-amd64-xfce-CD-1.iso
* Platform tested:-

---

### Analysis
```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

integer underflow exist in xserver, SwapCreateRegister()
https://github.com/freedesktop/xorg-xserver/blob/master/record/record.c#L2513
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run a root) and RCE for ssh x11 forwarding environmnet
```
~~~C++
SwapCreateRegister(xRecordRegisterClientsReq * stuff)
{
    int i;
    XID *pClientID;

    swapl(&stuff->context);
    swapl(&stuff->nClients);
    swapl(&stuff->nRanges);
    pClientID = (XID *) &stuff[1];
    if (stuff->nClients >
        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))		// stuff->length can be 0, it leads to underflow
        return BadLength;
    for (i = 0; i < stuff->nClients; i++, pClientID++) {
        swapl(pClientID);
    }
    if (stuff->nRanges >
        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
        - stuff->nClients)
        return BadLength;
    RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
    return Success;
}                               /* SwapCreateRegister */
~~~

debug log
```
(gdb) b *0x42C4D+0x55d950871000
Breakpoint 1 at 0x55d9508b3c4d
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055d9508b3c4d in ?? ()
(gdb) x/i $pc
=> 0x55d9508b3c4d:	sub    ecx,0x5
(gdb) x/10i 0x55d9508b3c4d-0x10
   0x55d9508b3c3d:	push   rdi
   0x55d9508b3c3e:	clc
   0x55d9508b3c3f:	bswap  ecx
   0x55d9508b3c41:	mov    DWORD PTR [rdi-0x4],ecx
   0x55d9508b3c44:	bswap  edx
   0x55d9508b3c46:	mov    DWORD PTR [rdi-0x8],edx
   0x55d9508b3c49:	movzx  ecx,WORD PTR [rax+0x2]
   0x55d9508b3c4d:	sub    ecx,0x5
   0x55d9508b3c50:	cmp    ecx,edx
   0x55d9508b3c52:	jae    0x55d9508b3c5a
(gdb) i r $rcx
rcx            0x0                 0
(gdb) si
0x000055d9508b3c50 in ?? ()
(gdb) i r $rcx
rcx            0xfffffffb          4294967291		// integer underflow
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055d9508b3c4d in ?? ()
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
0x00007f3b4cb64120 in _int_malloc (av=av@entry=0x7f3b4cc9cc40 <main_arena>, bytes=bytes@entry=8928) at malloc.c:4033
4033	malloc.c: No such file or directory.
(gdb) bt
#0  0x00007f3b4cb64120 in _int_malloc (av=av@entry=0x7f3b4cc9cc40 <main_arena>, bytes=bytes@entry=8928) at malloc.c:4033
#1  0x00007f3b4cb661a2 in __libc_calloc (n=<optimized out>, elem_size=<optimized out>) at malloc.c:3428
#2  0x00007f3b4d783a02 in ?? () from /lib/x86_64-linux-gnu/libpixman-1.so.0
#3  0x00007f3b4d783aac in ?? () from /lib/x86_64-linux-gnu/libpixman-1.so.0
#4  0x00007f3b4d7b9814 in pixman_composite_glyphs () from /lib/x86_64-linux-gnu/libpixman-1.so.0
#5  0x00007f3b4ba848e7 in fbGlyphs () from /usr/lib/xorg/modules/libfb.so
#6  0x000055d9509ac5e7 in ?? ()
#7  0x000055d9509a0710 in ?? ()
#8  0x000055d9508cb96e in ?? ()
#9  0x000055d9508cf916 in ?? ()
#10 0x00007f3b4cb0509b in __libc_start_main (main=0x55d9508b9640, argc=10, argv=0x7ffe55de4648, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe55de4638) at ../csu/libc-start.c:308
#11 0x000055d9508b967a in _start ()
(gdb)
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/
Comment 7 Stefan Dirsch 2020-08-25 15:33:44 UTC 
Date: Tue, 25 Aug 2020 17:24:05 +0200
From: Matthieu Herrb <matthieu@herrb.eu>
To: xorg-announce@lists.x.org
Subject: X.Org server security advisory: August 25, 2020

Multiple input validation failures in X server extensions
=========================================================

All theses issuses  can lead to local privileges elevation
on systems where the X server is running privileged.

* CVE-2020-14345 / ZDI CAN 11428 XkbSetNames Out-Of-Bounds Access

The handler for the XkbSetNames request does not validate the request
length before accessing its contents.

* CVE-2020-14346 / ZDI CAN 11429 XIChangeHierarchy Integer Underflow

An integer underflow exists in the handler for the XIChangeHierarchy
request.

* CVE-2020-14361 / ZDI CAN 11573 XkbSelectEvents Integer Underflow

An integer underflow exist in the handler for the XkbSelectEvents
request.

* CVE-2020-1436 / ZDI CAN 11574 XRecordRegisterClients Integer Underflow

An integer underflow exist in the handler for the CreateRegister
request of the X record extension.

Patches
-------

Patches for this issues have been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include these patches.

https://gitlab.freedesktop.org/xorg/xserver.git

commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1

    Correct bounds checking in XkbSetNames()

    CVE-2020-14345 / ZDI 11428

commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e

    Fix XIChangeHierarchy() integer underflow

    CVE-2020-14346 / ZDI-CAN-11429

commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8

    Fix XkbSelectEvents() integer underflow

    CVE-2020-14361 ZDI-CAN 11573

commit 24acad216aa0fc2ac451c67b2b86db057a032050

    Fix XRecordRegisterClients() Integer underflow

    CVE-2020-14362 ZDI-CAN-11574

Thanks
======

These vulnerabilities have beend discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.


--
Matthieu Herrb
Comment 8 OBSbugzilla Bot 2020-08-25 16:50:22 UTC 
This is an autogenerated message for OBS integration:
This bug (1174913) was mentioned in
https://build.opensuse.org/request/show/829591 Factory / xorg-x11-server
Comment 11 Stefan Dirsch 2020-08-25 20:25:18 UTC 
Packages are submitted (factory/TW, sle15-sp2, sle15-sp1, sle15, sle12-sp5, sle12-sp4, sle12-sp2, sle11-sp3, sle11-sp1). Reassigning back to security team.
Comment 13 Swamp Workflow Management 2020-09-01 10:17:13 UTC 
SUSE-SU-2020:2399-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.11.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.11.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.11.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-09-01 10:18:23 UTC 
SUSE-SU-2020:2398-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.19.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.19.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.19.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-09-01 10:19:40 UTC 
SUSE-SU-2020:2401-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.29.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.29.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-09-01 10:20:46 UTC 
SUSE-SU-2020:14475-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.29.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.29.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.29.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-09-01 13:18:34 UTC 
SUSE-SU-2020:2407-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.12.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-09-02 16:16:07 UTC 
SUSE-SU-2020:2452-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2020-09-03 19:27:25 UTC 
SUSE-SU-2020:2481-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.5.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.5.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-09-07 13:27:07 UTC 
openSUSE-SU-2020:1374-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.6.1
Comment 22 Swamp Workflow Management 2020-09-07 13:27:59 UTC 
openSUSE-SU-2020:1376-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174910,1174913
CVE References: CVE-2020-14361,CVE-2020-14362
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.6.1
Comment 23 Marcus Meissner 2020-10-03 07:00:25 UTC 
reelased