> > Summary: > > On a system where X11R6-based Xserver (R5 is probably affected too) is > installed setuid or setgid (e.g. typical XFree86 installation has XF86_* > setuid root), local users can exploit a buffer overrun in its code and > gain extra privileges (e.g. root privileges when Xserver is setuid root). > > > Quick vulnerability check: > > X :00000000000000000000000000000000000000000000000000000000000000000\ > 00000000000000000000000000000000000000000000000000000000000000000000\ > 00000000000000000000000000000000000000000000000000000000000000000000\ > 00000000000000000000000000000000000000000000000000000000000000000000\ > 00000000000000000000000000000000000000000000000000000000000000000000\ > 00000000000000000000000000000000000000000000000000000000000000000000\ > 00000000000000000000000000000000000000000000000000000000000000000009 > > (add -nolock for XFree86, change X to whatever name your Xserver has) > > Vulnerable Xserver will crash (Segmentation fault). > > (Note: machines immunized against stack smashing--e.g. Linux boxes with > Solar Designer's kernel patch--are probably not vulnerable.) > > > Quick fix: > > * remove setuid/setgid bit from all installed Xservers > * use xdm or a safe setuid wrapper to start Xserver > > > Details: > > X11R6.x Xserver recognizes a runtime argument specifying the desired > display (e.g. X :1). It accepts ANY value regardless of its length > and contents (save from the initial colon). > > Excerpt from xc/programs/Xserver/os/access.c (X11R6.3) > > /* Reset access control list to initial hosts */ > void > ResetHosts (display) > char *display; > { > register HOST *host; > char lhostname[120], ohostname[120]; > char *hostname = ohostname; > char fname[100]; > > [snip] > > strcpy (fname, "/etc/X"); > strcat (fname, display); > strcat (fname, ".hosts"); > if (fd = fopen (fname, "r")) > [snip] > > } > > Xserver calls ResetHosts() during its startup. A very long value of > "display" (100 + 2*120 + delta bytes) overflows "fname" and corrupts > the stack. > > An actual exploit is left as an exercise for the reader. :) > > There are probably other vulnerable places in Xserver code. (I have > spotted another buffer overrun in LockServer() (os/utils.c, XFree86 > specific) but this one seems to be benign.) Anyone willing to pay me > big bucks for an exhaustive audit is welcome. :) > > > --Pavel Kankovsky aka Peak (troja.mff.cuni.cz network administration) > [ Boycott Microsoft -- http://www.vcnet.com/bms ] > Here's a wrapper for this bug and for the older XF86 security vulnerability (i.e. XF86_XX -config /etc/shadow) Vladimir ----------------------------cut from here------------------------------- /* Description: X server wrapper Goals: 1. wrap the "-config" security vulnerabillity 2. wrap the :000000000000...00000000000000009 potential buffer overflow Instalation steps: 0. Become root (su -) 1. Modify the X_Server program variable according to your taste (i.e. the X server true path, not the link to it!) 2. Compile this program as cc Xserver.c -O4 -o Xserver 3. Copy the resulting binary to /usr/X11/bin, or whatever path you may have 4. chmod 04711 Xserver 5. Suppose your X server is called "XF86_S3"; issue a command chmod 0711 XF86_S3 6. Remove the old link for X (e.g X -> /usr/X11/bin/XF86_S3) 7. Make a new link ln -s /usr/X11/bin/Xserver /usr/X11/bin/X Copyright policy: the GNU Public License. This program is intended as a temporary patch for an existing X server; it is provided "as is", the author is not responsible for any direct/indirect damage(s) caused by its use. */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <syslog.h> #include <pwd.h> #include <sys/types.h> /* This is intended for debugging porposes only. Do NOT define this for a normal usage!! */ #define _DEBUG #define SIZE 1024 /* guaranteed filled with NULLs by UNIX */ char* args[SIZE]; int argsCount = 0; char* sccsID = "@(#) X wrapper 1.0 Copyright (C) 1998 by Vadimir COTFAS (ulianovat_private), Jan 14th 1998"; char *X_Server = "/usr/X11/bin/XF86_S3"; int main(int argc, char* argv[]) { int i; uid_t uid, euid; struct passwd* pass; openlog("Xserver", LOG_CONS|LOG_NDELAY|LOG_PERROR|LOG_PID, LOG_AUTHPRIV); uid = getuid(); euid = geteuid(); if(!((uid==0) || (euid==0))){ fprintf(stderr,"Xserver: this program must be run as (setuid) root\n"); exit(1); } pass = getpwuid(uid); for(i=0; i<argc; i++){ char* p; if((index(argv[i],':') != NULL) && (strlen(argv[i]) > 2)){ syslog(LOG_NOTICE, "potential buff ovrflw at arg #%d user %s", i, pass->pw_name); continue; } if(strstr(argv[i], "-config")){ syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n", i, pass->pw_name); i++; continue; } if(argsCount >= SIZE){ syslog(LOG_NOTICE, "too many args (>1024) user %s \n", pass->pw_name); exit(1); } args[argsCount++] = argv[i]; } args[argsCount] = NULL; /* just to be sure */ #ifdef DEBUG for(i=0; i<argsCount; i++) printf("%s ", args[i]); printf("\n"); #endif if(execv(X_Server, args) < 0){ fprintf(stderr,"Xserver: could not execute the X server ``%s''\n", X_Server); exit(1); } /*NOTREACHED*/ return 0; } /* EOF */---- Network Guru Administrator http://www.mecanica.math.unibuc.ro/~ulianov Alternate e-mail ulianovat_private Home Phone: 40-01-7776598, 40-068-181613
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:54 PDT