cbcvebase.
CVE-2021-31535
published 2021-05-27

CVE-2021-31535: LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.63%
95.2th percentile
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlibx11< libx11 2:1.7.1-1 (bookworm)libx11 2:1.7.1-1 (bookworm)
fedoraprojectfedora
x.orglibx11< 1.7.11.7.1
x.orglibx11>= 0 < 2:1.7.1-12:1.7.1-1
x.orglibx11>= 0 < 2:1.7.1-12:1.7.1-1
x.orglibx11>= 0 < 2:1.7.1-12:1.7.1-1
x.orglibx11>= 0 < 2:1.7.1-12:1.7.1-1
x.orgx_window_system<= x11r7.7

Detection & IOCsextracted from sources · hover to see the quote

  • The attack vector involves sending an XLookupColor request with a color-name longer than the maximum protocol size; the oversized user-controlled data is interpreted by the X server as additional X protocol requests and executed.
  • Delivery mechanism can be malicious terminal control sequences for color codes (e.g. via xterm), enabling injection of X11 protocol commands through terminal output.
  • One known payload effect is complete disabling of X server authorization; monitor for unexpected changes to X server authorization state (e.g. 'xhost +' equivalent commands injected via protocol).
  • The vulnerable code path is in LookupCol.c; the flaw allows injection of X11 protocol commands including potential bypass of authentication via injection of control characters.
  • ·Red Hat Enterprise Linux 8 and 9 do not run the Xorg server with root privileges, reducing the impact of exploitation on those platforms.
  • ·The vulnerability is fixed in libX11 1.7.1 and later; systems running libX11 >= 1.7.1 are not affected.
  • ·Attack surface is elevated when xterm or similar terminals are used to display less-trusted data (e.g. from SSH sessions to untrusted hosts), as terminal color-code sequences are the primary delivery vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.