Lucene search
K

xfs.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 35 Views

Bug in xfs impacts XFree86, creating insecure .font-unix directory in /tmp exposing permissions.

Code
`Bug in xfs  
  
Lukasz Trabinski ([email protected])  
Tue, 30 Mar 1999 00:14:34 +0200   
  
Hello,  
  
I hope that's information will be useful for making new patch for  
XFree86.  
  
I found bug in xfs  
  
(Packet XFree86-xfs-3.3.3.1-1 in RedHat 5.1 and probably in RedHat 5.2  
updates, too)  
Xfs is a font server for XFree86, it's also create directory in /tmp  
That directory name .font-unix  
  
Let's make a little check:  
  
On first console (I logged as a normal user)  
  
[lukasz@lt /tmp]$ cat /etc/shadow  
cat: /etc/shadow: Permission denied  
  
[lukasz@lt /tmp]$ ls -all /etc/shadow  
-r-------- 1 root root 544 Mar 30 00:04 /etc/shadow  
  
[lukasz@lt /tmp]$ ll  
total 2  
drwxrwxrwt 2 root root 1024 Mar 30 00:05 .  
drwxr-xr-x 18 root root 1024 Mar 23 00:10 ..  
lrwxrwxrwx 1 lukasz users 11 Mar 30 00:05 .font-unix ->  
/etc/shadow  
  
On second console, as root  
  
[root@lt /root]# xfs &  
[1] 2021  
[root@lt /root]# _FontTransSocketCreateListener: failed to bind listener  
_FontTransSocketUNIXCreateListener: ...SocketCreateListener() failed  
_FontTransMakeAllCOTSServerListeners: failed to create listener for local  
  
  
On first console:  
  
[lukasz@lt /tmp]$ ls -all /etc/shadow  
-rwxrwxrwt 1 root root 544 Mar 30 00:04 /etc/shadow  
^^^^^^^^^^^  
That's all ;)  
  
Solution, As root before run xfs, make rm -rf /tmp/.font-unix  
  
  
Sorry for my broken English ;(  
  
  
_[ Lukasz Trabinski ]_  
PgP Key: finger:[email protected], SysAdmin @wsisiz.edu.pl  
  
-----------------------------------------------------------------------  
  
Re: Bug in xfs  
  
Matthieu Herrb ([email protected])  
Wed, 31 Mar 1999 08:04:17 +0200   
  
You wrote (in your message from Tuesday 30)  
>  
> I hope that's information will be useful for making new patch for  
> XFree86.  
>  
> I found bug in xfs  
  
  
This is caused by the same bug in xc/lib/xtrans that "in.telnetd"  
<[email protected]> reported under the subject "X11R6 NetBSD  
Security Problem" last week.  
  
The patch I submitted (with stat() replaced by lstat(), as noted by  
Kevin Vajk and other) also fixes that.  
--  
Matthieu  
  
-----------------------------------------------------------------------  
  
Re: Bug in xfs  
  
Juha Virtanen ([email protected])  
Wed, 31 Mar 1999 09:38:28 +0300   
  
Regardless of the bug Lukasz Trabinski found in xfs -- it should  
be fixed and similar bugs traced from other software as well --  
it is not necessary to run xfs with root permissions at all.  
  
Someone may unknowingly argue that it needs to listen a port.  
Yes, but that's usually port 7100, and as it's not under 1024  
limit, so root permission isn't needed.  
  
I've run xfs for ages on separate account. below is the  
significant startup line I use in RedHat 5.x systems:  
  
daemon /bin/su fontsvr -c "/usr/X11/bin/xfs -config /etc/X11/fs/config -port 7100 &"  
  
The rule is: if a daemon can do its work with lower permissions  
than root, it should.  
  
I do also run named as nonroot permissions (Startup  
/usr/sbin/named -u user -g group). I recommend other people  
doing this as well.  
  
  
Juha Virtanen  
--  
<URL:http://www.iki.fi/jiivee/>  
  
-----------------------------------------------------------------------  
  
Re: Bug in xfs  
  
Alan Cox ([email protected])  
Wed, 31 Mar 1999 10:25:07 +0100   
  
> I do also run named as nonroot permissions (Startup  
> /usr/sbin/named -u user -g group). I recommend other people  
> doing this as well.  
  
This isnt one to do blindly as it means named cannot bind to interfaces  
that appear dynamically (eg as a DNS cache on a terminal server). The  
fact that you end up having to run named as root or with the relevant  
capability to allow it to bind to low ports.  
  
Alan  
  
-----------------------------------------------------------------------  
  
Re: Bug in xfs  
  
Roman Drahtmueller ([email protected])  
Wed, 31 Mar 1999 05:10:14 +0200   
  
[snip]  
> [lukasz@lt /tmp]$ ls -all /etc/shadow  
> -r-------- 1 root root 544 Mar 30 00:04 /etc/shadow  
[snip]  
> [root@lt /root]# xfs &  
[snip]  
> [lukasz@lt /tmp]$ ls -all /etc/shadow  
> -rwxrwxrwt 1 root root 544 Mar 30 00:04 /etc/shadow  
[snip]  
> Solution, As root before run xfs, make rm -rf /tmp/.font-unix  
  
For sure this needs to be fixed. Your "solution" introduces a race  
condition, though, if the font server is started when users are  
allowed to log on.  
  
A better interim aid is not to run xfs as root in the first place. In  
fact, why would one want to run things as root if not necessary?  
  
Roman.  
Computer Center University of Freiburg, Germany.  
"The whole world is about three drinks behind." (Humphrey Bogart)  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation