X.Org server fails to properly test for effective user ID

Overview

A vulnerability in the X.Org server could allow a local attacker to gain administrative privileges or cause a denial of service on an affected system.

Description

The X.Org server program provides several command-line options that are meant to be parsed only when the program is running as root. These include -modulepath, which specifies the location from which to load modules providing server functionality, and -logfile, which specifies the location of the server log file. Normally, these options cannot be changed by unprivileged users.

A flaw exists in the way that the server enforces this restriction because it evaluates the address of the geteuid function instead of the result of executing the function (i.e., “geteuid” versus “geteuid()”). This test is flawed because the address of geteuid is guaranteed to be nonzero. As a result, an unprivileged user can load modules from any location on the file system with root privileges or overwrite critical system files with the server log.

---

Impact

If the X.Org server program is setuid to root, as is typically the case, an authenticated local attacker can execute code or overwrite system files with administrative privileges on an affected system.

---

Solution

Apply a patch from the vendor

Patches have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Users who compile the X.Org server from source code or obtain binary releases directly from X.Org are encouraged to take the actions specified in the corresponding X.Org Security Advisory.

---

Vendor Information

837857

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Fedora Project __ Affected

Updated: July 24, 2006

Statement Date: March 20, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The Fedora Project has published Fedora Update Notification FEDORA-2006-172 in response to this issue. Users are encouraged to review this notification and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23837857 Feedback>).

Mandriva, Inc. __ Affected

Updated: July 24, 2006

Statement Date: March 20, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Mandriva has published Mandriva Security Advisory MDKSA-2006:056 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23837857 Feedback>).

SUSE Linux __ Affected

Updated: July 24, 2006

Statement Date: March 21, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

SUSE has published SUSE Security Announcement SUSE-SA:2006:016 in response to this issue. Users are encouraged to review this announcement and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23837857 Feedback>).

Sun Microsystems, Inc. __ Affected

Updated: July 24, 2006

Statement Date: March 20, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Sun Microsystems, Inc. has published Sun Alert ID: 102252 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23837857 Feedback>).

X.org Foundation __ Affected

Updated: July 24, 2006

Statement Date: March 20, 2006

Status

Affected

Vendor Statement

`X.Org Security Advisory, March 20th 2006
Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
and X11R7.0
CVE-ID: CVE-2006-0745

Overview:

During the analysis of results from the Coverity code review of X.Org,
we discovered a flaw in the server that allows local users to execute
arbitrary code with root privileges, or cause a denial of service by
overwriting files on the system, again with root privileges.

Vulnerability details:

When parsing arguments, the server takes care to check that only root
can pass the options -modulepath, which determines the location to load
many modules providing server functionality from, and -logfile, which
determines the location of the logfile. Normally, these locations
cannot be changed by unprivileged users.

This test was changed to test the effective UID as well as the real UID
in X.Org. The test is defective in that it tested the address of the
geteuid function, not the result of the function itself. As a result,
given that the address of geteuid() is always non-zero, an unpriviliged
user can load modules from any location on the filesystem with root
privileges, or overwrite critical system files with the server log.

Affected versions:

xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
of X11R7.0, is vulnerable.
X11R6.9.0, and all release candidates, are vulnerable.
X11R6.8.2 and earlier versions are not vulnerable.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[…]

Fix:

Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
X11R7 tree:
80db6a3ab76334061ec6102e74ef5607 xorg-server-1.0.1-geteuid.diff
44b44fa3efc63697eefadc7c2a1bfa50a35eec91 xorg-server-1.0.1-geteuid.diff
[_http://xorg.freedesktop.org/releases/X11R7.0/patches/_`](<http://xorg.freedesktop.org/releases/X11R7.0/patches/&gt;)`

Alternately, xorg-server 1.0.2 has been released with this and other
code fixes:
5cd3316f07ed32a05cbd69e73a71bc74 xorg-server-1.0.2.tar.bz2
b2257e984c5111093ca80f1f63a7a9befa20b6c0 xorg-server-1.0.2.tar.bz2
f44f0f07136791ed7a4028bd0dd5eae3 xorg-server-1.0.2.tar.gz
3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3 xorg-server-1.0.2.tar.gz
[_http://xorg.freedesktop.org/releases/individual/xserver/_`](<http://xorg.freedesktop.org/releases/individual/xserver/&gt;)`

Apply the patch below to the X.Org server as distributed with X11R6.9:
de85e59b8906f76a52ec9162ec6c0b63 x11r6.9.0-geteuid.diff
f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860 x11r6.9.0-geteuid.diff
[_http://xorg.freedesktop.org/releases/X11R6.9.0/patches/_`](<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/&gt;)`

Thanks:

We would like to thank Coverity for the use of their Prevent code audit
tool, which discovered this particular flaw.`

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://lists.freedesktop.org/archives/xorg/2006-March/013858.html&gt;
• <http://www.securityfocus.com/bid/17169&gt;
• <http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:056&gt;
• <http://secunia.com/advisories/19256/&gt;
• <http://secunia.com/advisories/19311/&gt;
• <http://secunia.com/advisories/19316/&gt;
• <http://secunia.com/advisories/19307/&gt;
• <http://www.auscert.org.au/6142&gt;
• <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102252-1&gt;
• <http://www.auscert.org.au/6142&gt;

Acknowledgements

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Coverity with discovering and reporting this vulnerability to them.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2006-0745
Severity Metric:	18.44 Date Public: