Bugtraq mailing list archives
Re: XFree86 3.1.2 Security Problems
From: dawes () rf900 physics usyd edu au (David Dawes)
Date: Mon, 29 Jan 1996 16:40:19 +1100
There are security holes in XFree86 3.1.2, which installs its servers as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files, it does not take proper precautions to ensure that file permissions are maintained, resulting in the ability to overwrite files, and to read limited portions of other files. The first problem stems from the server opening a temporary file, /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this file a symlink, the server will overwrite the original file, and then write to it its current pid.
That's true, and this is a real problem.
Other problems exist in the server relating to similar problems, one such example is the ability to specify an arbitrary file for the XF86config file which will then be opened, and the first line that fails to match the expected format will be output with an error, allowing a line to be read from an arbitrary file.
This is not true. The server sets its uid to the real-uid when reading the XF86Config file. For OSs that don't have saved IDs, it forks and the child sets its uid to the real uid before opening the file. It passes the data back to the parent. Also, the server only allows an arbitrary XF86Config file to be specified when started with real-uid 0. David
Current thread:
- XFree86 3.1.2 Security Problems David J Meltzer (Jan 28)
- Re: XFree86 3.1.2 Security Problems David Dawes (Jan 28)
- Re: XFree86 3.1.2 Security Problems Anthony C. Zboralski (Jan 29)
- bind() Security Problems Aleph's K-Rad GECOS Field (Jan 30)
- SGI Security Advisory 19960102-01-P, SGI Security Coordinator (Jan 30)
- Aiiiieeee!! *Hobbit* (Jan 30)
- Re: BoS: bind() Security Problems Bernd Lehle (Jan 31)