Vulnerability CVE-2006-4447


Published: 2006-08-29   Modified: 2012-02-12

Description:
X.Org and XFree86, including libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm, does not check the return values for setuid and seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail, such as by exceeding a ulimit.

Vendor: X.org
Product: Emu-linux-x87-xlibs 
Version: 7.0_r1;
Product: X11r6 
Version:
6.8.2
6.8.1
6.8
6.7.0
Product: Xterm 
Version: 214;
Product: Xorg-server 
Version: 1.02_r5;
Product: XDM 
Version: 1.0.3;
Product: Xinit 
Version: 1.0.2_r5;
Product: X11r7 
Version:
1.0.2
1.0.1
1.0
Product: Xf86dga 
Version: 1.0.0;
Product: Xload 
Version: 1.0.0;

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.kb.cert.org/vuls/id/300368
http://security.gentoo.org/glsa/glsa-200608-25.xml
http://secunia.com/advisories/21650
http://lists.freedesktop.org/archives/xorg/2006-June/016146.html
http://www.vupen.com/english/advisories/2007/0409
http://www.vupen.com/english/advisories/2006/3409
http://www.securityfocus.com/bid/19742
http://secunia.com/advisories/21660
http://www.securityfocus.com/bid/23697
http://www.mandriva.com/security/advisories?name=MDKSA-2006:160
http://www.debian.org/security/2006/dsa-1193
http://security.gentoo.org/glsa/glsa-200704-22.xml
http://secunia.com/advisories/25059
http://secunia.com/advisories/25032
http://secunia.com/advisories/22332
http://secunia.com/advisories/21693
http://mail.gnome.org/archives/beast/2006-December/msg00025.html

Related CVE
CVE-2018-14665
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate the...
CVE-2018-14600
An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.
CVE-2018-14599
An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.
CVE-2018-14598
An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation f...
CVE-2017-2625
It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing...
CVE-2017-2624
It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations ret...
CVE-2017-12187
xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
CVE-2017-12186
xorg-x11-server before 1.19.5 was missing length validation in X-Resource extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

Copyright 2019, cxsecurity.com

 

Back to Top