Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Sun Alert 103200 Multiple Security Vulnerabilities in the Solaris X Server Extensions May Lead to a Denial of Service (DoS) Condition or Allow Execution of Arbitrary Code
Informations
Name SUN-103200 First vendor Publication 2008-01-17
Vendor Sun Last vendor Modification 2008-02-01
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 8 Operating System Solaris 9 Operating System Solaris 10 Operating System

Multiple security vulnerabilities exist in the X11 XInput, EVI, MIT SHM and XFree86-MISC extensions to the Solaris X11 display server (Xorg(1), Xsun(1), and the Solaris X11 print server (Xprt(1)). These vulnerabilities may allow a local or remote unprivileged user who is authorized via xhost(1) or xauth(1) to connect to the X server and execute arbitrary code with root privileges, access arbitrary memory within the X server's address space, or crash the X11 display server process. The ability to crash the X11 display server is a type of Denial of Service (DoS).

These issues are described in the following documents:

CVE-2007-6427 at http://www.security-database.com/detail.php?cve=CVE-2007-6427

CVE-2007-6428 at http://www.security-database.com/detail.php?cve=CVE-2007-6428

CVE-2007-6429 at http://www.security-database.com/detail.php?cve=CVE-2007-6429

CVE-2007-5760 at http://www.security-database.com/detail.php?cve=CVE-2007-5760

State: Resolved
First released: 17-Jan-2008

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_103200_multiple_security

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
33 % CWE-362 Race Condition
33 % CWE-189 Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10372
 
Oval ID: oval:org.mitre.oval:def:10372
Title: The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
Description: The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
Family: unix Class: vulnerability
Reference(s): CVE-2007-6427
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11045
 
Oval ID: oval:org.mitre.oval:def:11045
Title: Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
Description: Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
Family: unix Class: vulnerability
Reference(s): CVE-2007-6429
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11718
 
Oval ID: oval:org.mitre.oval:def:11718
Title: Array index error in the XFree86-Misc extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via a PassMessage request containing a large array index.
Description: Array index error in the XFree86-Misc extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via a PassMessage request containing a large array index.
Family: unix Class: vulnerability
Reference(s): CVE-2007-5760
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11754
 
Oval ID: oval:org.mitre.oval:def:11754
Title: The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.
Description: The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.
Family: unix Class: vulnerability
Reference(s): CVE-2007-6428
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19332
 
Oval ID: oval:org.mitre.oval:def:19332
Title: HP-UX Running Xserver, Remote Execution of Arbitrary Code
Description: Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
Family: unix Class: vulnerability
Reference(s): CVE-2007-6429
Version: 13
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19689
 
Oval ID: oval:org.mitre.oval:def:19689
Title: HP-UX Running Xserver, Remote Execution of Arbitrary Code
Description: The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
Family: unix Class: vulnerability
Reference(s): CVE-2007-6427
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20265
 
Oval ID: oval:org.mitre.oval:def:20265
Title: Multiple vulnerabilities in the X server
Description: The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
Family: unix Class: vulnerability
Reference(s): CVE-2007-6427
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20793
 
Oval ID: oval:org.mitre.oval:def:20793
Title: Multiple vulnerabilities in the X server
Description: Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
Family: unix Class: vulnerability
Reference(s): CVE-2007-6429
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22333
 
Oval ID: oval:org.mitre.oval:def:22333
Title: ELSA-2008:0031: xorg-x11-server security update (Important)
Description: Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
Family: unix Class: patch
Reference(s): ELSA-2008:0031-02
CVE-2007-5760
CVE-2007-5958
CVE-2007-6427
CVE-2007-6428
CVE-2007-6429
Version: 25
Platform(s): Oracle Linux 5
Product(s): xorg-x11-server
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1
Application 1
Application 1
Application 2
Application 2
Application 1
Os 56
Os 4
Os 2
Os 2
Os 2
Os 1
Os 3
Os 3
Os 1
Os 1

OpenVAS Exploits

Date Description
2009-11-17 Name : Mac OS X Version
File : nvt/macosx_version.nasl
2009-10-10 Name : SLES9: Security update for XFree86-libs
File : nvt/sles9p5020914.nasl
2009-10-10 Name : SLES9: Security update for XFree86-Xnest
File : nvt/sles9p5012483.nasl
2009-05-05 Name : HP-UX Update for Xserver HPSBUX02381
File : nvt/gb_hp_ux_HPSBUX02381.nasl
2009-04-09 Name : Mandriva Update for x11-server-xgl MDVSA-2008:025 (x11-server-xgl)
File : nvt/gb_mandriva_MDVSA_2008_025.nasl
2009-04-09 Name : Mandriva Update for x11-server MDVSA-2008:023 (x11-server)
File : nvt/gb_mandriva_MDVSA_2008_023.nasl
2009-03-23 Name : Ubuntu Update for xorg-server regression USN-571-2
File : nvt/gb_ubuntu_USN_571_2.nasl
2009-03-23 Name : Ubuntu Update for libxfont, xorg-server vulnerabilities USN-571-1
File : nvt/gb_ubuntu_USN_571_1.nasl
2009-03-06 Name : RedHat Update for XFree86 RHSA-2008:0029-01
File : nvt/gb_RHSA-2008_0029-01_XFree86.nasl
2009-03-06 Name : RedHat Update for xorg-x11 RHSA-2008:0030-01
File : nvt/gb_RHSA-2008_0030-01_xorg-x11.nasl
2009-03-06 Name : RedHat Update for xorg-x11-server RHSA-2008:0031-01
File : nvt/gb_RHSA-2008_0031-01_xorg-x11-server.nasl
2009-02-27 Name : CentOS Update for xorg-x11 CESA-2008:0030 centos4 i386
File : nvt/gb_CESA-2008_0030_xorg-x11_centos4_i386.nasl
2009-02-27 Name : CentOS Update for XFree86 CESA-2008:0029-01 centos2 i386
File : nvt/gb_CESA-2008_0029-01_XFree86_centos2_i386.nasl
2009-02-27 Name : CentOS Update for XFree86-100dpi-fonts CESA-2008:0029 centos3 i386
File : nvt/gb_CESA-2008_0029_XFree86-100dpi-fonts_centos3_i386.nasl
2009-02-27 Name : CentOS Update for xorg-x11 CESA-2008:0030 centos4 x86_64
File : nvt/gb_CESA-2008_0030_xorg-x11_centos4_x86_64.nasl
2009-02-27 Name : CentOS Update for XFree86-100dpi-fonts CESA-2008:0029 centos3 x86_64
File : nvt/gb_CESA-2008_0029_XFree86-100dpi-fonts_centos3_x86_64.nasl
2009-02-17 Name : Fedora Update for xorg-x11-server FEDORA-2008-0831
File : nvt/gb_fedora_2008_0831_xorg-x11-server_fc7.nasl
2009-02-17 Name : Fedora Update for xorg-x11-server FEDORA-2008-0760
File : nvt/gb_fedora_2008_0760_xorg-x11-server_fc8.nasl
2009-01-23 Name : SuSE Update for Xorg and XFree SUSE-SA:2008:003
File : nvt/gb_suse_2008_003.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200801-09 (xorg-server libXfont)
File : nvt/glsa_200801_09.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200804-05 (nx, nxnode)
File : nvt/glsa_200804_05.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200805-07 (ltsp)
File : nvt/glsa_200805_07.nasl
2008-09-04 Name : FreeBSD Ports: xorg-server
File : nvt/freebsd_xorg-server0.nasl
2008-01-31 Name : Debian Security Advisory DSA 1466-2 (xorg-server, libxfont, xfree86)
File : nvt/deb_1466_2.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
40944 X.Org Xserver XFree86-Misc Extension Crafted PassMessage Request Arbitrary Co...

40942 X.Org Xserver XInput Extension Multiple Function Arbitrary Code Execution

40941 X.Org Xserver TOG-CUP Extension ProcGetReservedColormapEntries Function Arbit...

40940 X.Org Xserver MIT-SHM Extension Crafted Request Arbitrary Code Execution

40939 X.Org Xserver Crafted GetVisualInfo Request Arbitrary Code Execution

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0031.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0030.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0029.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20080118_XFree86_on_SL3.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20080117_xorg_x11_server_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20080117_xorg_x11_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0030.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0031.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12043.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12040.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-023.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2008-025.nasl - Type : ACT_GATHER_INFO
2008-11-11 Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_37972.nasl - Type : ACT_GATHER_INFO
2008-11-11 Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_34392.nasl - Type : ACT_GATHER_INFO
2008-11-11 Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_38840.nasl - Type : ACT_GATHER_INFO
2008-04-04 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_xgl-5100.nasl - Type : ACT_GATHER_INFO
2008-04-04 Name : The remote openSUSE host is missing a security update.
File : suse_xgl-5099.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2008-002.nasl - Type : ACT_GATHER_INFO
2008-01-29 Name : The remote openSUSE host is missing a security update.
File : suse_NX-4952.nasl - Type : ACT_GATHER_INFO
2008-01-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1466.nasl - Type : ACT_GATHER_INFO
2008-01-27 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_fe2b6597c9a411dc8da80008a18a9961.nasl - Type : ACT_GATHER_INFO
2008-01-27 Name : The remote Fedora host is missing a security update.
File : fedora_2008-0831.nasl - Type : ACT_GATHER_INFO
2008-01-27 Name : The remote Fedora host is missing a security update.
File : fedora_2008-0760.nasl - Type : ACT_GATHER_INFO
2008-01-21 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-571-2.nasl - Type : ACT_GATHER_INFO
2008-01-21 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_xorg-x11-Xnest-4875.nasl - Type : ACT_GATHER_INFO
2008-01-21 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_xorg-x11-libs-4860.nasl - Type : ACT_GATHER_INFO
2008-01-21 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0029.nasl - Type : ACT_GATHER_INFO
2008-01-21 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200801-09.nasl - Type : ACT_GATHER_INFO
2008-01-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0031.nasl - Type : ACT_GATHER_INFO
2008-01-18 Name : The remote openSUSE host is missing a security update.
File : suse_xorg-x11-Xnest-4859.nasl - Type : ACT_GATHER_INFO
2008-01-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0030.nasl - Type : ACT_GATHER_INFO
2008-01-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0029.nasl - Type : ACT_GATHER_INFO
2008-01-18 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-571-1.nasl - Type : ACT_GATHER_INFO
2007-10-12 Name : The remote host is missing Sun Security Patch number 125719-58
File : solaris10_125719.nasl - Type : ACT_GATHER_INFO
2006-11-06 Name : The remote host is missing Sun Security Patch number 118908-06
File : solaris9_x86_118908.nasl - Type : ACT_GATHER_INFO