X Font Server flaw hits Sun Solaris hard

X Font Server flaw hits Sun Solaris hard

Summary: Default installations of Sun's free Solaris operating system are sitting ducks for remote code execution attacks.According to an alert from iDefense, the flaw exists in the way Solaris implements the X Font Server (xfs), which is used to handle font rendering on X11 (X Window System).

SHARE:

X Font Server flaw hits Sun Solaris hard Default installations of Sun's free Solaris operating system are sitting ducks for remote code execution attacks.

According to an alert from iDefense, the flaw exists in the way Solaris implements the X Font Server (xfs), which is used to handle font rendering on X11 (X Window System).

The vulnerability, fixed in XFS version 1.0.5, affects multiple vendors but current versions of Solaris are hardest hit because the XFS service is turned on by default and listens on TCP port 7100.

"These vulnerabilities are remotely exploitable [on Solaris]," iDefense warned.

In the absence of a patch from Sun Microsystems, Solaris users are urged to stop XFS from listening remotely by disabling it via the service manager.

[SEE: Sun rushes out patch for Solaris Telnet exploit ]

Exploit code for this vulnerability has been released by Immunity, Inc., a penetration testing firm that sells access to exploits and vulnerabilities. "Good default anonymous remotes don't come out every day. Solaris is still all over the place so this sort of thing is quite interesting," said Immunity researcher Dave Aitel.

On modern Linux systems, these vulnerabilities are only locally exploitable since the server is configured to listen on a UNIX socket only.

Technical details of the X Font Server vulnerabilities:

An integer overflow vulnerability exists within the handlers for the QueryXBitmaps and QueryXExtents protocol requests. Both requests result in a call to the build_range() function. This function takes a 32bit integer from the request, and uses it in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which leads to an improperly sized memory allocation. This results in a heap overflow.

Additionally, a heap corruption vulnerability exists within the handlers for the QueryXBitmaps and QueryXExtents protocol requests. Both requests result in a call to the swap_char2b() function. This function takes a 32bit integer from the request, and uses it as the number of bytes to swap in the request buffer. This allows an attacker to swap an arbitrary number of bytes on the heap.

Sun Microsystems has taken baby steps recently to improve its security response process. This month, for the first time, the company provided advance notification of security updates for Java SE.

Sun said this is the first step towards the simultaneous release of security fixes across all supported Java SE release families. "Sun expects to fully synchronize the release of security fixes across all supported releases, including J2SE 1.3.1 in 2008," the company said on its security blog.

Sun has been heavily criticized in the past for the way Java patches are released.

* Image via Wikipedia article on Sun Solaris.

Topics: Servers, Hardware, Open Source, Operating Systems, Oracle, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • it's a good alert, but what kind of idiots

    are Immunity and this David Aitel, to publish exploit code?

    I think the feeling of power the malware people get from this kind of thing must be large ego-satisfaction, and it is entirely wrong.

    His pseudo-academic 'it's interesting' is just plain dumb. This is a world where there are many persons who can understand whole situations, and little ivory towers get their appropriate reward.

    Well, as an adult, this kind of thing is very saddening and irritating.

    Regards, Ryan,
    Clive
    Narr vi
    • Excuse me?

      Publishing exploit code has been happening for decades. If you're old enough to remember the early bugtraq mailing list, we'd find almost every Unix related exploit code out there, including the ever repeating periodic sendmail bugs, etc. This is nothing new.
      kraterz
  • One way to get free publicity for your OS ...

    Any OS vendor that fails to lock down their OS out the gate will pay the price in the marketplace. Who is going to trust a vendor who allows these things to happen? Sun is getting what it deserves on this one. Only by suffering will these vendors clean up their act.
    George Mitchell
    • Who is going to trust a vendor...?

      "Who is going to trust a vendor who allows these things to happen?"

      I used to think that, too, back when Microsoft came out with Active Desktop. I was
      all "this is bullshit. This is obviously broken. Who's going to trust them after the
      problems hit." and I banned IE and Outlook and anything else that used the HTML
      control at our division, and waited for other companies to do the same.

      I was amazed when it didn't happen, even after the next few years saw email
      viruses and worms and infections through browsers and spyware hit this amazing
      peak. Where before viruses were something you didn't worry about if you didn't
      download programs from random sites, now they were everywhere.

      Five years later, we centralised IT, and they standardised IE as the only browser in
      the company. The next week the company got hit with a major new virus, and for
      the first time in five years we got hit too.

      So... I no longer believe that even the most incredibly bad designs will get
      punished in the market. This won't hurt Sun or teach anyone a lesson... it happens
      too often, and it hasn't taught anyone a lesson yet.
      Resuna
      • And of course you are ...

        probably correct. What a :( commentary about society in general.
        George Mitchell
  • RE: X Font Server flaw hits Sun Solaris hard

    At the risk of repeating myself....how come these exploiters seem to be more 'with it' than the exploitees. I mean you don't expect the car thief carjacking your Mercedes to be more informed on the workings of your car than an official Mercedes mechanic do you? Or would you?!
    Signed,
    A disgruntled Mercedes owner
    chris.copp@...
  • Don't turn services on by default, and bind them to localhost if you can.

    This is the kind of alert that we usually hear about hitting Windows,
    because of their propensity for leaving services running with global
    listeners.

    "the XFS service is turned on by default and listens on TCP port 7100."

    "Doctor, it hurts when I do this". Don't do that, then.
    Resuna
  • solaris is still better than windoze

    you get vulnerabilities once or twice a year for solaris, not like weekly for windoze.
    Linux Geek
  • RE: X Font Server flaw hits Sun Solaris hard?

    I guess I'm very confused at the "hard" part of this message. Solaris 10 has an install option to set the ports open or closed. Any decent sys-admin that specifies "open" should reexamine their credentials. In OpenSolaris, the installation is "Secure by Design" and xfs isn't even enabled. So, it would only hit Solaris hard if a sys-admin deliberately turned on this feature.

    I just got a patch for SUSE for the same bug, so why is Solaris so different that it should be singled out for this journalistic distinction?
    GAGendel