Bug 1190488 - (CVE-2021-4010) VUL-0: CVE-2021-4010: xorg-x11-server: SProcScreenSaverSuspend Out-Of-Bounds Access Local Privilege Escalation Vulnerability (ZDI-CAN-14951)
(CVE-2021-4010)
VUL-0: CVE-2021-4010: xorg-x11-server: SProcScreenSaverSuspend Out-Of-Bounds ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/309972
CVSSv3.1:SUSE:CVE-2021-4010:7.8:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-14 14:36 UTC by Gianluca Gabrielli
Modified: 2022-04-07 10:40 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Researcher proposed patch (390 bytes, patch)
2021-09-14 14:42 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-09-14 14:36:20 UTC
The attachment named ZDI-CAN-14951.zip could not be scanned for viruses because it is a password protected file.
ZDI-CAN-14951: X.Org Server SProcScreenSaverSuspend Out-Of-Bounds Access Local Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.4
* Installer file:debian-10.10.0-amd64-xfce-CD-1.iso
* Platform tested:debian-10.10.0-amd64-xfce-CD-1.iso

---

### Analysis

```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

OOB access bug exist in xserver, SProcRenderCompositeGlyphs()
https://gitlab.freedesktop.org/xorg/xserver/-/blob/236d1775509404b0dcf44873422dd8652b1e9588/render/render.c#L2323
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run as root under specific display driver) and RCE for ssh x11 forwarding environmnet
```

~~~C++
SProcScreenSaverSuspend(ClientPtr client)
{
    REQUEST(xScreenSaverSuspendReq);

    swaps(&stuff->length);
    swapl(&stuff->suspend);             // OOB access
    REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); // check buffer size after access
    return ProcScreenSaverSuspend(client);
}
~~~


debug log
```
(gdb) si
0x000055b5e84d458e in ?? ()
1: x/i $pc
=> 0x55b5e84d458e:      mov    edx,DWORD PTR [rax+0x4]
(gdb)
0x000055b5e84d4591 in ?? ()
1: x/i $pc
=> 0x55b5e84d4591:      rol    WORD PTR [rax+0x2],0x8           // swapl(&stuff->suspend);
(gdb) x/10xg $rax
0x55b5edf7e1e4: 0x0100001101000590      0x0000000000000000              // before corruption
0x55b5edf7e1f4: 0x41414141003fffff      0x4141414141414141
0x55b5edf7e204: 0x4141414141414141      0x4141414141414141
0x55b5edf7e214: 0x4141414141414141      0x4141414141414141
0x55b5edf7e224: 0x4141414141414141      0x4141414141414141
(gdb) si
0x000055b5e84d4596 in ?? ()
1: x/i $pc
=> 0x55b5e84d4596:      bswap  edx
(gdb) si
0x000055b5e84d4598 in ?? ()
1: x/i $pc
=> 0x55b5e84d4598:      mov    DWORD PTR [rax+0x4],edx
(gdb) si
0x000055b5e84d459b in ?? ()
1: x/i $pc
=> 0x55b5e84d459b:      cmp    DWORD PTR [rdi+0x68],0x2
(gdb) x/10xg 0x55b5edf7e1e4
0x55b5edf7e1e4: 0x1100000100010590      0x0000000000000000              // corrupted next request
0x55b5edf7e1f4: 0x41414141003fffff      0x4141414141414141
0x55b5edf7e204: 0x4141414141414141      0x4141414141414141
0x55b5edf7e214: 0x4141414141414141      0x4141414141414141
0x55b5edf7e224: 0x4141414141414141      0x4141414141414141
(gdb) bt
#0  0x000055b5e84d459b in ?? ()
#1  0x000055b5e84ec99e in ?? ()
#2  0x000055b5e84f0986 in ?? ()
#3  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#4  0x000055b5e84da67a in _start ()
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
312     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
1: x/i $pc
=> 0x7fe021294733 <__memmove_avx_unaligned_erms+131>:   mov    rcx,QWORD PTR [rsi+rdx*1-0x8]
(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
#1  0x00007fe0200d4b42 in fbBlt () from /usr/lib/xorg/modules/libfb.so
#2  0x00007fe0200d58a6 in fbBltStip () from /usr/lib/xorg/modules/libfb.so
#3  0x00007fe0200d9d30 in fbGetImage () from /usr/lib/xorg/modules/libfb.so
#4  0x000055b5e8638410 in ?? ()
#5  0x000055b5e8574b3b in ?? ()
#6  0x000055b5e84e9849 in ?? ()
#7  0x000055b5e84ec99e in ?? ()
#8  0x000055b5e84f0986 in ?? ()
#9  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#10 0x000055b5e84da67a in _start ()
(gdb)
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
Comment 2 Gianluca Gabrielli 2021-09-14 14:42:09 UTC
Created attachment 852507 [details]
Researcher proposed patch
Comment 4 Gianluca Gabrielli 2021-09-15 15:19:09 UTC
Affected packages:
 - SUSE:SLE-12-SP2:Update/xorg-x11-server
 - SUSE:SLE-12-SP4:Update/xorg-x11-server
 - SUSE:SLE-12-SP5:Update/xorg-x11-server
 - SUSE:SLE-15-SP1:Update/xorg-x11-server
 - SUSE:SLE-15-SP2:Update/xorg-x11-server
 - SUSE:SLE-15:Update/xorg-x11-server
 - openSUSE:Factory/xorg-x11-server
Comment 9 Robert Frohl 2021-12-14 13:51:37 UTC
public via oss-security
Comment 12 Stefan Dirsch 2021-12-14 18:56:47 UTC
BTW, sle15-GA and below, i.e. sle12 and sle11 is not affected by this issue.
Comment 13 Stefan Dirsch 2021-12-14 20:40:06 UTC
Submitted for sle15 >= sp1, Tumbleweed and sle15-sp4.
Comment 14 Stefan Dirsch 2021-12-14 20:41:01 UTC
Reassgning to securitry team.
Comment 15 OBSbugzilla Bot 2021-12-14 21:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (1190488) was mentioned in
https://build.opensuse.org/request/show/940574 Factory / xorg-x11-server
Comment 17 Swamp Workflow Management 2021-12-20 17:19:55 UTC
SUSE-SU-2021:4122-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Enterprise Storage 6 (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE CaaS Platform 4.0 (src):    xorg-x11-server-1.20.3-14.5.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2021-12-21 20:16:42 UTC
openSUSE-SU-2021:4136-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xorg-x11-server-1.20.3-22.5.42.1
Comment 19 Swamp Workflow Management 2021-12-21 20:18:21 UTC
SUSE-SU-2021:4136-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Manager Retail Branch Server 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Manager Proxy 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Enterprise Storage 7 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE CaaS Platform 4.5 (src):    xorg-x11-server-1.20.3-22.5.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-12-22 11:18:47 UTC
openSUSE-SU-2021:1606-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.36.1
Comment 21 Swamp Workflow Management 2022-02-17 11:25:17 UTC
SUSE-SU-2021:4136-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-02-17 11:29:48 UTC
openSUSE-SU-2021:4136-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xorg-x11-server-1.20.3-22.5.42.1
Comment 23 Alexander Bergmann 2022-04-07 10:40:24 UTC
Fixed.