Exploiting large memory management vulnerabilities in Xorg server running on Linux

A malicious authenticated client can force Xorg server to exhaust (or fragment) its address space. If running on Linux,this may result in the process stack top being in an unexpected region and execution of arbitrary code with server priv-ileges (root).x86 32 and x86 64 platforms are aected, others most probably are aected,too.Note that depending on the system con guration, by default local unpriv-ileged users may be able to start an instance of Xorg server that requires no authentication and exploit it.Also if a remote attacker exploits a (unrelated) vulnerability in a GUI application (e.g. web browser),he will have ability to attack X server.
In case of a local attacker that can use MIT-SHM extension (which is the most likely scenario),the exploit is very reliable.Identi er CVE-2010-2240 has been reserved for the underlying issue (Linux kernel not providing stack and heap separation).This issue has been known for at least five years.

Download PDF