Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2021-31535 libX11 Insufficient Length Checks PoC and Archeology

Related Vulnerabilities: CVE-2021-31535   CVE-2021-27135  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="51"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#52">By Date</a>
<a href="53"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="50"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#52">By Thread</a>
<a href="54"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2021-31535 libX11 Insufficient Length Checks PoC and	Archeology</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Roman Fiedler &lt;roman.fiedler () unparalleled eu&gt;


<em>Date</em>: Wed, 19 May 2021 12:22:48 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Hello list,

A missing length check in libX11 causes data from LookupColor
requests mess up the client-server communication protocol and
inject malicious X server requests. The flaw is comparable to
SQLi injecting commands into database connections granting an
attacker access to all features of the connection protocol.

Even with the flaw being embedded in the C-API/library, it can
be easily demonstrated with a simple PoC run in xterm [1]. On
most terminals the PoC will only produce a nice, blue background
while with appropriate libX11 and xterm the same PoC disables
X server authorization, thus allowing any program to connect
to the X server and take over the screen session. For details
on exploitation see [2].


The flaw is also interesting in two more ways:

1) for xterm the flaw can be easily detected using fuzzing. So
I assume that a) nobody else fuzzed xterm yet, even being that
old (less likely) or b) that the flaw was deemed a mere DoS
(interruption of X communication) but as it did not involve a
buffer overflow, was not seen exploitable or otherwise worth
reporting. Even I myself stumbled over it it already years ago
but then again forgot about it until doing some testing around
other recent rxvt/xterm flaws (CVE-2021-27135).

2) from archeological perspective it would have been interesting
to prove and not only assume, since when the bug was really exploitable.
At least the code seems to date back quite some time to 1986.
But even not from distant past, finding sufficient online resources
from that era to revive an ancient system and run an X environment
was not yet possible. If it happens that someone still has access
to full system backups of an X server system of that time I would
be happy to try to turn this into an emulator image and test
the exploit.

[1] <a rel="nofollow" href="https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/enjoy-all-the-colors.py">https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/enjoy-all-the-colors.py</a>
[2] <a rel="nofollow" href="https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/">https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/</a>


_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="51"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#52">By Date</a>
<a href="53"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="50"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#52">By Thread</a>
<a href="54"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2021-31535 libX11 Insufficient Length Checks PoC and	Archeology</strong> <em>Roman Fiedler (May 20)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started