Bugtraq mailing list archives
Re: X Security problem (?)
From: scottm () SCOTECH COM (Scott Moseman)
Date: Fri, 14 Nov 1997 06:55:01 -0600
Using Xfree86 3.3.1 via Slackware w/ kernel 2.0.30 I have: drwxrwxrwt 4 root root 1024 Nov 14 07:35 /tmp/ drwxr-xr-x 2 root root 1024 Oct 29 00:03 /tmp/X11-unix/ srwxrwxrwx 1 root root 0 Oct 29 00:03 X0= And expectedly, I get (as a user): $ mv X0 Y0 mv: cannot move `X0' to `Y0': Permission denied Just my $0.02, Scott On Fri, 14 Nov 1997, Carlo Wood wrote: : Hi, : : this isn't an exploit - I let others write that ;) (don't : have time for that). : : But five minutes ago I found something that might be abused: : : On my (RedHat4.2) linux box, I find: : : /tmp/.X11-unix/X0= : : A UNIX domain socket of the X server I assume. : : The permissions are: : : drwxrwxrwt 3 root root 1024 Nov 14 01:38 /tmp/ : drwxrwxrwx 2 root users 1024 Nov 14 01:56 /tmp/.X11-unix/ : srwxrwxrwx 1 root users 0 Nov 13 23:09 X0 : : So, as any user (I did it as 'nobody'), I can do: : : rm /tmp/.X11-unix/X0 : : After which X doesn't work anymore (can't open a new terminal). : : I can also do: : : cd /tmp/.X11-unix : mv X0 Y0 : : (can't open an xterm) : : mv Y0 X0 : : (everything works again). : : Now I didn't test the following, but doesn't this mean that I can : - as nobody - mv X0 Y0; open a new X0 socket and start to accept : connections, piping everything to Y0, reading everything people : type, like passwords when they use 'su' ? ... : : Carlo Wood : : PS This is my first post, so I expect to make a terrible error : here somehow ;). If so, I hope the moderator will simply : refuse the post. : : -- : carlo () runaway xs4all nl, Run @ IRC. : : ircd development: http://www.xs4all.nl/~carlo17/ircd-dev : :
Current thread:
- mode of the i586 F0 bug, (continued)
- mode of the i586 F0 bug VaX#n8 (Nov 12)
- Re: mode of the i586 F0 bug Alan Cox (Nov 12)
- Linux F00F Patch Aleph One (Nov 12)
- Re: Safe /tmp cleanup Randal Schwartz (Nov 12)
- Re: Safe /tmp cleanup dsiebert () ICAEN UIOWA EDU (Nov 13)
- another buffer overrun in sperl5.003 Pavel Kankovsky (Nov 13)
- Re: Safe /tmp cleanup Valdis Kletnieks (Nov 13)
- IE4.0 patch Richard Trott (Nov 13)
- X Security problem (?) Carlo Wood (Nov 13)
- Re: X Security problem (?) Matthias Buelow (Nov 14)
- Re: X Security problem (?) Scott Moseman (Nov 14)
- digital unix 4.0 hole John McDonald (Nov 14)
- What to do when you forget your cisco LD password... Dustin Sallings (Nov 13)
- Re: What to do when you forget your cisco LD password... John Bashinski (Nov 14)
- Re: Safe /tmp cleanup Erik Troan (Nov 13)
- Linux IP fragment overlap bug G P R (Nov 13)
- Re: Linux IP fragment overlap bug Alan Cox (Nov 14)
- Re: Linux IP fragment overlap bug Vadim Kolontsov (Nov 14)
- Re: Linux IP fragment overlap bug David LeBlanc (Nov 14)
- Re: Linux IP fragment overlap bug Morbid Dead Guy (Nov 16)
- Windows 95 IP Fragmentation Bug Fix? Aleph One (Nov 17)