Bug 1174638 – VUL-0: CVE-2020-14346: xorg-x11-server: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (ZDI-CAN-11429)

Bug 1174638 - (CVE-2020-14346) VUL-0: CVE-2020-14346: xorg-x11-server: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (ZDI-CAN-11429)

(CVE-2020-14346)
Summary:	VUL-0: CVE-2020-14346: xorg-x11-server: XIChangeHierarchy Integer Underflow ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/264449/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-14346:7.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-07-29 08:22 UTC by Alexandros Toptsoglou
Modified:	2020-08-31 04:18 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2020-07-29 08:22:20 UTC

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.8
* Installer file:ubuntu-20.04-desktop-amd64.iso
* Platform tested:ubuntu 20.04 amd64 desktop

---

### Analysis

```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

integer underflow exist in xserver, ProcXIChangeHierarchy()
https://github.com/freedesktop/xorg-xserver/blob/master/Xi/xichangehierarchy.c#L426
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run a root) and RCE for ssh x11 forwarding environmnet
```

~~~C++
int
ProcXIChangeHierarchy(ClientPtr client)
{
    xXIAnyHierarchyChangeInfo *any;
    size_t len;/* length of data remaining in request */
    int rc = Success;
    int flags[MAXDEVICES] = { 0 };

    REQUEST(xXIChangeHierarchyReq);
    REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);

    if (!stuff->num_changes)
        return rc;

    len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);// 1) stuff->length is 0 if the request type is specified as Big request

    any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
    while (stuff->num_changes--) {
        if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
            rc = BadLength;
            goto unwind;
        }

        SWAPIF(swaps(&any->type));// 2) OOB swap two bytes
        SWAPIF(swaps(&any->length));

        if (len < ((size_t)any->length << 2))
            return BadLength;

...

        len -= any->length * 4;
        any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
    }

 unwind:

    XISendDeviceHierarchyEvent(flags);
    return rc;
}
~~~

debug log
```
(gdb) b *0x55adceb39000+0x14EADC
Breakpoint 1 at 0x55adcec87adc
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055adcec87adc in ?? ()
(gdb) x/i $pc
=> 0x55adcec87adc:lea    rbx,[rax*4-0x8]
(gdb) i r $rax
rax            0x0                 0
(gdb) si
0x000055adcec87ae4 in ?? ()
(gdb) x/i $pc
=> 0x55adcec87ae4:cmp    rbx,0x3
(gdb) i r $rbx
rbx            0xfffffffffffffff8  -8// integer underflow happens
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
0x000055adcec87b00 in ?? ()
1: x/i $pc
=> 0x55adcec87b00:movzx  eax,WORD PTR [r15+0x2]
(gdb) x/10i $pc
=> 0x55adcec87b00:movzx  eax,WORD PTR [r15+0x2]// OOB read
   0x55adcec87b05:test   BYTE PTR [rbp+0x38],0x1
   0x55adcec87b09:je     0x55adcec87b1f
   0x55adcec87b0b:rol    WORD PTR [r15],0x8
   0x55adcec87b10:test   BYTE PTR [rbp+0x38],0x1
   0x55adcec87b14:je     0x55adcec87b1f
   0x55adcec87b16:rol    ax,0x8
   0x55adcec87b1a:mov    WORD PTR [r15+0x2],ax// OOB write
   0x55adcec87b1f:movzx  edx,ax
   0x55adcec87b22:shl    rdx,0x2
(gdb) bt
#0  0x000055adcec87b00 in ?? ()
#1  0x000055adceb95ee4 in ?? ()
#2  0x000055adceb99f94 in ?? ()
#3  0x00007f09983700b3 in __libc_start_main (main=0x55adceb83a00, argc=12, argv=0x7ffd7e490d38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd7e490d28) at ../csu/libc-start.c:308
#4  0x000055adceb83a3e in _start ()
(gdb)
```



-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>

Comment 4 Wolfgang Frisch 2020-07-29 10:46:28 UTC

SUSE:SLE-11-SP1:Update   Not affected [1]
SUSE:SLE-11-SP3:Update   Not affected [1]
SUSE:SLE-12-SP2:Update   Affected [2]
SUSE:SLE-12-SP4:Update   Affected
SUSE:SLE-12-SP5:Update   Affected [2]
SUSE:SLE-15:Update       Affected
SUSE:SLE-15-SP1:Update   Affected
SUSE:SLE-15-SP2:Update   Affected

[1] API not present
[2] Reproduced

Comment 10 Stefan Dirsch 2020-08-25 15:33:51 UTC

Date: Tue, 25 Aug 2020 17:24:05 +0200
From: Matthieu Herrb <matthieu@herrb.eu>
To: xorg-announce@lists.x.org
Subject: X.Org server security advisory: August 25, 2020

Multiple input validation failures in X server extensions
=========================================================

All theses issuses  can lead to local privileges elevation
on systems where the X server is running privileged.

* CVE-2020-14345 / ZDI CAN 11428 XkbSetNames Out-Of-Bounds Access

The handler for the XkbSetNames request does not validate the request
length before accessing its contents.

* CVE-2020-14346 / ZDI CAN 11429 XIChangeHierarchy Integer Underflow

An integer underflow exists in the handler for the XIChangeHierarchy
request.

* CVE-2020-14361 / ZDI CAN 11573 XkbSelectEvents Integer Underflow

An integer underflow exist in the handler for the XkbSelectEvents
request.

* CVE-2020-1436 / ZDI CAN 11574 XRecordRegisterClients Integer Underflow

An integer underflow exist in the handler for the CreateRegister
request of the X record extension.

Patches
-------

Patches for this issues have been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include these patches.

https://gitlab.freedesktop.org/xorg/xserver.git

commit 11f22a3bf694d7061d552c99898d843bcdaf0cf1

    Correct bounds checking in XkbSetNames()

    CVE-2020-14345 / ZDI 11428

commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e

    Fix XIChangeHierarchy() integer underflow

    CVE-2020-14346 / ZDI-CAN-11429

commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8

    Fix XkbSelectEvents() integer underflow

    CVE-2020-14361 ZDI-CAN 11573

commit 24acad216aa0fc2ac451c67b2b86db057a032050

    Fix XRecordRegisterClients() Integer underflow

    CVE-2020-14362 ZDI-CAN-11574

Thanks
======

These vulnerabilities have beend discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.

--
Matthieu Herrb

Comment 11 OBSbugzilla Bot 2020-08-25 16:50:11 UTC

This is an autogenerated message for OBS integration:
This bug (1174638) was mentioned in
https://build.opensuse.org/request/show/829591 Factory / xorg-x11-server

Comment 14 Stefan Dirsch 2020-08-25 20:26:10 UTC

Packages are submitted (factory/TW, sle15-sp2, sle15-sp1, sle15, sle12-sp5, sle12-sp4, sle12-sp2, sle11-sp3, sle11-sp1). Reassigning back to security team.

Comment 15 Swamp Workflow Management 2020-08-25 22:14:26 UTC

SUSE-SU-2020:2242-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2020-08-25 22:16:36 UTC

SUSE-SU-2020:2325-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.8.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-08-25 22:17:41 UTC

SUSE-SU-2020:2240-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2020-08-25 22:18:55 UTC

SUSE-SU-2020:2326-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1120999,1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.16.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2020-08-25 22:20:00 UTC

SUSE-SU-2020:2241-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2020-08-26 13:14:35 UTC

SUSE-SU-2020:2331-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE OpenStack Cloud 7 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.26.1
SUSE Enterprise Storage 5 (src):    xorg-x11-server-7.6_1.18.3-76.26.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Alexandros Toptsoglou 2020-08-27 13:25:48 UTC

Done

Comment 22 Swamp Workflow Management 2020-08-29 13:13:40 UTC

openSUSE-SU-2020:1279-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xorg-x11-server-1.20.3-lp151.4.3.1

Comment 23 Swamp Workflow Management 2020-08-31 04:18:27 UTC

openSUSE-SU-2020:1302-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174633,1174635,1174638
CVE References: CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.3.1