CVE-2007-6428 - X.Org X Server 'TOG-CUP' Extension Local Privilege Escalation Vulnerability

Publication

2008-01-18

Last modification

2018-10-15

Summary

The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.

Description

X.Org X Server is prone to a local privilege-escalation vulnerability.Attackers can exploit this issue to execute arbitrary code with superuser privileges or to crash the affected computer.NOTE: This vulnerability was previously covered in BID 27336 (X.Org X Server Multiple Local Privilege Escalation and Information Disclosure Vulnerabilities), but has been given its own record to better document the issue.

Solution

The vendor has released an update and an advisory. Please see the references for more information. X.org xorg-server 1.4 X.org xorg-xserver-1.4-multiple-overflows.diff ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-mu ltiple-overflows.diff Apple Mac OS X 10.4.11 Apple SecUpd2008-002PPC.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpd2008-002PPC.dmg Apple SecUpd2008-002Univ.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpd2008-002Univ.dmg Apple Mac OS X Server 10.4.11 Apple SecUpdSrvr2008-002PPC.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpdSrvr2008-002PPC.dmg Apple SecUpdSrvr2008-002Univ.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpdSrvr2008-002Univ.dmg Apple Mac OS X 10.5.2 Apple SecUpd2008-002.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpd2008-002.dmg Apple Mac OS X Server 10.5.2 Apple SecUpdSrvr2008-002.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpdSrvr2008-002.dmg

Exploit

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: info@vumetric.com.

Risk level (CVSS AV:N/AC:L/Au:N/C:P/I:N/A:N)

Medium

5.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

OVAL definition

{
    "accepted": "2013-04-29T04:15:38.122-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Aharon Chernin",
            "organization": "SCAP.com, LLC"
        },
        {
            "name": "Dragos Prisaca",
            "organization": "G2, Inc."
        }
    ],
    "definition_extensions": [
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 3",
            "oval": "oval:org.mitre.oval:def:11782"
        },
        {
            "comment": "CentOS Linux 3.x",
            "oval": "oval:org.mitre.oval:def:16651"
        },
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 4",
            "oval": "oval:org.mitre.oval:def:11831"
        },
        {
            "comment": "CentOS Linux 4.x",
            "oval": "oval:org.mitre.oval:def:16636"
        },
        {
            "comment": "Oracle Linux 4.x",
            "oval": "oval:org.mitre.oval:def:15990"
        },
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 5",
            "oval": "oval:org.mitre.oval:def:11414"
        },
        {
            "comment": "The operating system installed on the system is CentOS Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15802"
        },
        {
            "comment": "Oracle Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15459"
        }
    ],
    "description": "The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.",
    "family": "unix",
    "id": "oval:org.mitre.oval:def:11754",
    "status": "accepted",
    "submitted": "2010-07-09T03:56:16-04:00",
    "title": "The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.",
    "version": "24"
}

Affected Products

Vendor Product Versions
X.Org TOG CUP 
X.Org Xserver  1.4

External references