Bug 1174635 - (CVE-2020-14345) VUL-0: CVE-2020-14345: xorg-x11-server: Out-Of-Bounds Access Privilege Escalation Vulnerability (ZDI-CAN-11428)
(CVE-2020-14345)
VUL-0: CVE-2020-14345: xorg-x11-server: Out-Of-Bounds Access Privilege Escala...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/264447/
CVSSv3.1:SUSE:CVE-2020-14345:7.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-29 08:13 UTC by Alexandros Toptsoglou
Modified: 2020-08-31 04:18 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-29 08:13:53 UTC
-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.4
* Installer file:debian-10.4.0-amd64-xfce-CD-1.iso
* Platform tested:debian 10.4.0 amd64 desktop


---

### Analysis

```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

the request handler, ProcXkbSetNames, in x11 server did not validate the request length before accessing
https://github.com/freedesktop/xorg-xserver/blob/master/xkb/xkb.c#L4348
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run a root) and RCE for ssh x11 forwarding environmnet
```

~~~C++
int
ProcXkbSetNames(ClientPtr client)
{
    CARD32 *tmp;

    REQUEST(xkbSetNamesReq);
    REQUEST_AT_LEAST_SIZE(xkbSetNamesReq);
...
    /* check device-independent stuff */
    tmp = (CARD32 *) &stuff[1];<-- (1) points to next CARD32 without checking the enough size, it can then points OOB

...

    /* start of device-dependent tests */
    rc = _XkbSetNamesCheck(client, dev, stuff, tmp);<-- (2)
...
}


static int
_XkbSetNamesCheck(ClientPtr client, DeviceIntPtr dev,
                  xkbSetNamesReq * stuff, CARD32 *data)
{
...
    tmp = data;
...
    if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
        tmp += stuff->nKeyAliases * 2;<-- (3)
    }
    if (stuff->which & XkbRGNamesMask) {
        if (stuff->nRadioGroups < 1) {
            client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
            return BadValue;
        }
        tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);<-- (4)
        if (!tmp) {
            client->errorValue = bad;
            return BadAtom;
        }
    }
...
}


static CARD32 *
_XkbCheckAtoms(CARD32 *wire, int nAtoms, int swapped, Atom *pError)
{
    register int i;

    for (i = 0; i < nAtoms; i++, wire++) {
        if (swapped) {
            swapl(wire);<-- (5) swap bytes out-of-bounds
        }
...
    }
    return wire;
}
~~~

debug log
```
(gdb) b *0x15D3DB+0x55932d486000
Breakpoint 1 at 0x55932d5e33db
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055932d5e33db in ?? ()
(gdb) x/i $pc
=> 0x55932d5e33db:lea    r14,[r13+0x1c]// tmp = (CARD32 *) &stuff[1];
// now, r14 is OOB and points to next request
(gdb) x/10xg $r13
0x55932ea64010:0x00000100000712870x0000000000002400// xkbSetNamesReq, len = 0x1c
0x55932ea64020:0x00000100000000000x0400001000000001 // xInternAtomReq, len = 0x8
0x55932ea64030:0x33323130000008000x7b3f22b900363534 // char*, len = 0x7
0x55932ea64040:0x000100855ba152030x0000000100020087
0x55932ea64050:0x00000000000000000x0000000000000000
(gdb) x/s 0x55932ea64034
0x55932ea64034:"0123456"
(gdb) awatch *0x55932ea64034
Hardware access (read/write) watchpoint 2: *0x55932ea64034
(gdb) c
Continuing.

Thread 1 "Xorg" hit Hardware access (read/write) watchpoint 2: *0x55932ea64034

Value = 858927408
0x000055932d5d90d3 in ?? ()
(gdb) x/20i $pc-0x10
   0x55932d5d90c3:add    BYTE PTR [rax],0x0
   0x55932d5d90c6:add    BYTE PTR [rax],al
   0x55932d5d90c8:add    rbx,0x4
   0x55932d5d90cc:cmp    rbp,rbx
   0x55932d5d90cf:je     0x55932d5d90f1
   0x55932d5d90d1:mov    edi,DWORD PTR [rbx]// OOBR
=> 0x55932d5d90d3:test   r12d,r12d
   0x55932d5d90d6:je     0x55932d5d90dc
   0x55932d5d90d8:bswap  edi
   0x55932d5d90da:mov    DWORD PTR [rbx],edi// OOBW
   0x55932d5d90dc:test   edi,edi
   0x55932d5d90de:je     0x55932d5d90c8
   0x55932d5d90e0:call   0x55932d4ce980 <ValidAtom>
   0x55932d5d90e5:test   eax,eax
   0x55932d5d90e7:jne    0x55932d5d90c8
   0x55932d5d90e9:mov    eax,DWORD PTR [rbx]
   0x55932d5d90eb:xor    ebp,ebp
   0x55932d5d90ed:mov    DWORD PTR [r13+0x0],eax
   0x55932d5d90f1:add    rsp,0x8
   0x55932d5d90f5:mov    rax,rbp
(gdb) c

Thread 1 "Xorg" hit Hardware access (read/write) watchpoint 2: *0x55932ea64034

Old value = 858927408
New value = 808530483
0x000055932d5d90dc in ?? ()
(gdb) x/s 0x55932ea64034
0x55932ea64034:"3210456"// byte is swapped
(gdb) x/10i $pc-0x10
   0x55932d5d90cc:cmp    rbp,rbx
   0x55932d5d90cf:je     0x55932d5d90f1
   0x55932d5d90d1:mov    edi,DWORD PTR [rbx]
   0x55932d5d90d3:test   r12d,r12d
   0x55932d5d90d6:je     0x55932d5d90dc
   0x55932d5d90d8:bswap  edi
   0x55932d5d90da:mov    DWORD PTR [rbx],edi
=> 0x55932d5d90dc:test   edi,edi
   0x55932d5d90de:je     0x55932d5d90c8
   0x55932d5d90e0:call   0x55932d4ce980 <ValidAtom>
(gdb) bt
#0  0x000055932d5d90dc in ?? ()
#1  0x000055932d5de551 in ?? ()
#2  0x000055932d5e3448 in ?? ()
#3  0x000055932d4e096e in ?? ()
#4  0x000055932d4e4916 in ?? ()
#5  0x00007fe82c49f09b in __libc_start_main (main=0x55932d4ce640, argc=10, argv=0x7fff872eee28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff872eee18) at ../csu/libc-start.c:308
#6  0x000055932d4ce67a in _start ()
(gdb)
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>


_______________________________________________
Comment 4 Wolfgang Frisch 2020-07-29 14:56:03 UTC
All supported code streams appear to be affected.
Comment 17 Stefan Dirsch 2020-08-25 15:33:57 UTC
Date: Tue, 25 Aug 2020 17:24:05 +0200
From: Matthieu Herrb <matthieu@herrb.eu>
To: xorg-announce@lists.x.org
Subject: X.Org server security advisory: August 25, 2020

Multiple input validation failures in X server extensions
=========================================================

All theses issuses  can lead to local privileges elevation
on systems where the X server is running privileged.

* CVE-2020-14345 / ZDI CAN 11428 XkbSetNames Out-Of-Bounds Access

The handler for the XkbSetNames request does not validate the request
length before accessing its contents.

* CVE-2020-14346 / ZDI CAN 11429 XIChangeHierarchy Integer Underflow

An integer underflow exists in the handler for the XIChangeHierarchy
request.

* CVE-2020-14361 / ZDI CAN 11573 XkbSelectEvents Integer Underflow

An integer underflow exist in the handler for the XkbSelectEvents
request.

* CVE-2020-1436 / ZDI CAN 11574 XRecordRegisterClients Integer Underflow

An integer underflow exist in the handler for the CreateRegister
request of the X record extension.

Patches
-------

Patches for this issues have been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include these patches.

https://gitlab.freedesktop.org/xorg/xserver.git

commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1

    Correct bounds checking in XkbSetNames()

    CVE-2020-14345 / ZDI 11428

commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e

    Fix XIChangeHierarchy() integer underflow

    CVE-2020-14346 / ZDI-CAN-11429

commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8

    Fix XkbSelectEvents() integer underflow

    CVE-2020-14361 ZDI-CAN 11573

commit 24acad216aa0fc2ac451c67b2b86db057a032050

    Fix XRecordRegisterClients() Integer underflow

    CVE-2020-14362 ZDI-CAN-11574

Thanks
======

These vulnerabilities have beend discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.


--
Matthieu Herrb
Comment 18 OBSbugzilla Bot 2020-08-25 16:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1174635) was mentioned in
https://build.opensuse.org/request/show/829591 Factory / xorg-x11-server
Comment 21 Stefan Dirsch 2020-08-25 20:25:48 UTC
Packages are submitted (factory/TW, sle15-sp2, sle15-sp1, sle15, sle12-sp5, sle12-sp4, sle12-sp2, sle11-sp3, sle11-sp1). Reassigning back to security team.
Comment 22 Swamp Workflow Management 2020-08-25 22:14:21 UTC
SUSE-SU-2020:2242-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-08-25 22:15:25 UTC
SUSE-SU-2020:14463-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635
CVE References: CVE-2020-14345,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.26.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.26.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.26.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2020-08-25 22:16:29 UTC
SUSE-SU-2020:2325-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2020-08-25 22:17:35 UTC
SUSE-SU-2020:2240-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2020-08-25 22:18:49 UTC
SUSE-SU-2020:2326-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1120999,1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2020-08-25 22:19:54 UTC
SUSE-SU-2020:2241-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2020-08-26 13:14:28 UTC
SUSE-SU-2020:2331-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Alexandros Toptsoglou 2020-08-27 13:26:05 UTC
Done
Comment 30 Swamp Workflow Management 2020-08-29 13:13:33 UTC
openSUSE-SU-2020:1279-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.3.1
Comment 31 Swamp Workflow Management 2020-08-31 04:18:20 UTC
openSUSE-SU-2020:1302-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.3.1