Redhat 4.2 X11 /tmp/.X11-unix permissions problem

Summary
Description:Any local user can destroy X service by moving (or deleting) the UNIX domain socket redhat puts in /tmp/.X11-unix/X0 . Redhat apparently forgot the sticky bit. I think this works in Redhat 4.0 too.
Author:Carlo Wood <carlo@RUNAWAY.XS4ALL.NL>
Compromise:Screw up X (local)
Vulnerable Systems:Thos running the Redhat 4.2 and 4.0 Linux distributions.
Date:14 November 1997
Details


Date: Fri, 14 Nov 1997 02:13:22 +0100
From: Carlo Wood <carlo@RUNAWAY.XS4ALL.NL>
To: BUGTRAQ@NETSPACE.ORG
Subject: X Security problem (?)

Hi,

        this isn't an exploit - I let others write that ;) (don't
have time for that).

But five minutes ago I found something that might be abused:

On my (RedHat4.2) linux box, I find:

/tmp/.X11-unix/X0=

A UNIX domain socket of the X server I assume.

The permissions are:

drwxrwxrwt   3 root     root         1024 Nov 14 01:38 /tmp/
drwxrwxrwx   2 root     users        1024 Nov 14 01:56 /tmp/.X11-unix/
srwxrwxrwx   1 root     users           0 Nov 13 23:09 X0

So, as any user (I did it as 'nobody'), I can do:

rm /tmp/.X11-unix/X0

After which X doesn't work anymore (can't open a new terminal).

I can also do:

cd /tmp/.X11-unix
mv X0 Y0

(can't open an xterm)

mv Y0 X0

(everything works again).

Now I didn't test the following, but doesn't this mean that I can
- as nobody - mv X0 Y0; open a new X0 socket and start to accept
connections, piping everything to Y0, reading everything people
type, like passwords when they use 'su' ? ...

Carlo Wood

PS This is my first post, so I expect to make a terrible error
   here somehow ;).  If so, I hope the moderator will simply
   refuse the post.

--
 carlo@runaway.xs4all.nl, Run @ IRC.

 ircd development:  http://www.xs4all.nl/~carlo17/ircd-dev

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]