Vulners
Lucene search
X11R6.txt
`Date: Sun, 21 Mar 1999 21:34:48 -0800
From: in.telnetd <[email protected]>
To: [email protected]
Subject: X11R6 NetBSD Security Problem
Hey
If this has already been brought up, you have the right to stone me to
death, But I havent seen it and ive searched, so here it is:
I was fooling around today, and decided to rm /tmp/.X11-unix and then make
a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed
up /etc/passwd and
ln -s /etc/passwd /tmp/.X11-unix
and then startx'd as normal user acount, But X wouldnt start, it
complained and said "is not a directory" So, I made a symbolic link from
/root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised
to have write access to /root.
I was able to write new files to /root but was not able to overright or
change files, i was able to make a "+ +" .rhosts though.
I did this to /etc also, changed it from:
drwxr-xr-x
To:
drwxrwxrwt
with:
telnetd ~$ ln -s /etc /tmp/.X11-unix
telnetd ~$ startx
I have tested this via a remote telnet sesion also, It works if you are
able to startx and X isnt already running,
I swung my chair around and got on my gateway, telneted to stinky, logged
in as a normal user, ln -s /etc /tmp/.X11-unix, startx'd remotly, Saw
the X startup crap, looked behind me and saw X starting on stinky, I
turned to my gateway and stoped X, and had write access to /etc.
wh00t@$#!$
The only real thing I can think of for this to be usefull is .rhosts in
/root...
later
[email protected]
-----------------------------------------------------------------------------
Date: Sun, 21 Mar 1999 21:41:40 -0800
From: in.telnetd <[email protected]>
To: [email protected]
Subject: Re: X11R6 NetBSD Security Problem
oops, i forgot to say, this was on NetBSD 1.3.3, fresh install
if you could apend this to my last message, it would be apreciated aleph1
-----------------------------------------------------------------------------
Date: Thu, 25 Mar 1999 17:20:26 -0800
From: /usr/libexec/telnetd <[email protected]>
To: [email protected]
Subject: Re: X11R6 NetBSD Security Problem
Well, when theres a reboot, /tmp/ is cleared. And If you havent started X
yet, it could be a problem. This isnt and ultra spiffy important problem,
just thought I would bring it up.
> drwxrwxrwt 2 root root 1024 Mar 25 10:52 .X11-unix/
>
> I'd like to see a non-root user delete that from /tmp. Many systems have this
> in place like this, since root is the first to log into X. Systems that do not
> have this directory owned by root should chown it.
>
> Taral
>
-----------------------------------------------------------------------------
Date: Fri, 26 Mar 1999 23:41:02 +0200
From: Petras Sinkevicius <[email protected]>
To: [email protected]
Subject: Re: X11R6 NetBSD Security Problem
On Sun, 21 Mar 1999, in.telnetd wrote:
> oops, i forgot to say, this was on NetBSD 1.3.3, fresh install
> if you could apend this to my last message, it would be apreciated aleph1
>
This also works under Linux, X11 v3.3.3, links to directories and files
----
bebras@petras:/tmp> ln -s /etc/group /tmp/.X11-unix
bebras@petras:/tmp> ls -l /etc/group
-rw-r--r-- 1 root root 336 Mar 6 13:56 /etc/group
bebras@petras:/tmp> startx
_X11TransSocketUNIXConnect: Can't connect: errno = 111
giving up.
xinit: Connection refused (errno 111): unable to connect to X server
xinit: No such process (errno 3): Server error.
bebras@petras:/tmp> ls -l /etc/group
-rwxrwxrwt 1 root root 336 Mar 6 13:56 /etc/group*
----
--
Drakosha
Petras Sinkevicius
[email protected]
-----------------------------------------------------------------------------
Date: Fri, 26 Mar 1999 21:21:20 +0100
From: Matthieu Herrb <[email protected]>
To: [email protected]
Subject: Re: X11R6 NetBSD Security Problem
in.telnetd wrote (in a message from Sunday 21)
>
> telnetd ~$ ln -s /etc /tmp/.X11-unix
> telnetd ~$ startx
The following patch should fix this:
Index: xc/lib/xtrans/Xtransint.h
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtransint.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 Xtransint.h
--- xc/lib/xtrans/Xtransint.h 1998/11/28 08:26:08 1.1.1.2
+++ xc/lib/xtrans/Xtransint.h 1999/03/26 08:20:27
@@ -455,6 +455,12 @@
#endif
);
+static int trans_mkdir (
+#if NeedFunctionPrototypes
+ char *, /* path */
+ int /* mode */
+#endif
+);
/*
* Some XTRANSDEBUG stuff
Index: xc/lib/xtrans/Xtranslcl.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtranslcl.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 Xtranslcl.c
--- xc/lib/xtrans/Xtranslcl.c 1999/01/08 17:31:44 1.1.1.4
+++ xc/lib/xtrans/Xtranslcl.c 1999/03/26 08:20:32
@@ -444,9 +444,11 @@
#else
mode = 0777;
#endif
-
- mkdir(X_STREAMS_DIR, mode);
- chmod(X_STREAMS_DIR, mode);
+ if (trans_mkdir(X_STREAMS_DIR, mode) == -1) {
+ PRMSG (1, "PTSOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_STREAMS_DIR, errno, 0);
+ return(-1);
+ }
if( (fd=open(server_path, O_RDWR)) >= 0 ) {
#if 0
@@ -724,9 +726,11 @@
#else
mode = 0777;
#endif
-
- mkdir(X_STREAMS_DIR, mode);
- chmod(X_STREAMS_DIR, mode);
+ if (trans_mkdir(X_STREAMS_DIR, mode) == -1) {
+ PRMSG (1, "NAMEDOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_STREAMS_DIR, errno, 0);
+ return(-1);
+ }
if(stat(server_path, &sbuf) != 0) {
if (errno == ENOENT) {
@@ -1044,10 +1048,18 @@
mode = 0777;
#endif
- mkdir(X_STREAMS_DIR, mode); /* "/dev/X" */
- chmod(X_STREAMS_DIR, mode);
- mkdir(X_ISC_DIR, mode); /* "/dev/X/ISCCONN" */
- chmod(X_ISC_DIR, mode);
+ /* "/dev/X" */
+ if (trans_mkdir(X_STREAMS_DIR, mode) == -1) {
+ PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_STREAMS_DIR, errno, 0);
+ return(-1);
+ }
+ /* "/dev/X/ISCCONN" */
+ if (trans_mkdir(X_ISC_DIR, mode) == -1) {
+ PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_ISC_DIR, errno, 0);
+ return(-1);
+ }
unlink(server_path);
@@ -1072,8 +1084,11 @@
*/
#define X_UNIX_DIR "/tmp/.X11-unix"
- mkdir(X_UNIX_DIR, mode);
- chmod(X_UNIX_DIR, mode);
+ if (trans_mkdir(X_UNIX_DIR, mode) == -1) {
+ PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_UNIX_DIR, errno, 0);
+ return(-1);
+ }
unlink(server_unix_path);
Index: xc/lib/xtrans/Xtranssock.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtranssock.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 Xtranssock.c
--- xc/lib/xtrans/Xtranssock.c 1999/01/08 17:31:46 1.1.1.4
+++ xc/lib/xtrans/Xtranssock.c 1999/03/26 08:20:38
@@ -946,8 +946,11 @@
#else
mode = 0777;
#endif
- mkdir (UNIX_DIR, mode);
- chmod (UNIX_DIR, mode);
+ if (trans_mkdir(UNIX_DIR, mode) == -1) {
+ PRMSG (1, "SocketUNIXCreateListener: mkdir(%s) failed, errno = %d\n",
+ UNIX_DIR, errno, 0);
+ return TRANS_CREATE_LISTENER_FAILED;
+ }
#endif
sockname.sun_family = AF_UNIX;
@@ -1041,8 +1044,11 @@
#else
mode = 0777;
#endif
- mkdir (UNIX_DIR, mode);
- chmod (UNIX_DIR, mode);
+ if (trans_mkdir(UNIX_DIR, mode) == -1) {
+ PRMSG (1, "SocketUNIXResetListener: mkdir(%s) failed, errno = %d\n",
+ UNIX_DIR, errno, 0);
+ return TRANS_RESET_FAILURE;
+ }
#endif
close (ciptr->fd);
Index: xc/lib/xtrans/Xtransutil.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtransutil.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 Xtransutil.c
--- xc/lib/xtrans/Xtransutil.c 1997/09/05 09:02:43 1.1.1.1
+++ xc/lib/xtrans/Xtransutil.c 1999/03/26 08:20:40
@@ -465,3 +465,32 @@
return (1);
}
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+
+static int
+trans_mkdir(char *path, int mode)
+{
+ struct stat buf;
+
+ if (mkdir(path, mode) == 0) {
+ /* I don't know why this is done, but it was in the original
+ xtrans code */
+ chmod(path, mode);
+ return 0;
+ }
+ /* If mkdir failed with EEXIST, test if it is a directory with
+ the right modes, else fail */
+ if (errno == EEXIST) {
+ if (stat(path, &buf) != 0) {
+ return -1;
+ }
+ if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) {
+ return 0;
+ }
+ }
+ /* In all other cases, fail */
+ return -1;
+}
--
Matthieu
-----------------------------------------------------------------------------
Date: Fri, 26 Mar 1999 13:55:13 +0100
From: Pavel Machek <[email protected]>
To: [email protected]
Subject: not only NetBSD [was Re: X11R6 NetBSD Security Problem]
Hi!
> If this has already been brought up, you have the right to stone me to
> death, But I havent seen it and ive searched, so here it is:
>
> I was fooling around today, and decided to rm /tmp/.X11-unix and then make
> a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed
> up /etc/passwd and
> ln -s /etc/passwd /tmp/.X11-unix
> and then startx'd as normal user acount, But X wouldnt start, it
> complained and said "is not a directory" So, I made a symbolic link from
> /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised
> to have write access to /root.
I tried to reproduce on 2.2.4 linux using
XFree86 Version 3.3.2 / X Window System
(protocol Version 11, revision 0, vendor release 6300)
Release Date: March 2 1998
If the server is older than 6-12 months, or if your card is
newer
than the above date, look for a newer version before reporting
problems. (see http://www.XFree86.Org/FAQ)
. I'm not able to get write access to /etc, still I'm able to create
file
srwxrwxrwx 1 root root 0 Mar 26 13:48 X0=
in previously unwritable directory. Bug, it seems. [There was some
talk about /tmp/.X11-unix directories, and I think that this problem
might very well get _worse_ with new 3.3.3 release. Please check.]
Pavel
--
I'm really [email protected]. Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
-----------------------------------------------------------------------------
Date: Sun, 28 Mar 1999 19:01:41 -0800
From: Kevin Vajk <[email protected]>
To: [email protected]
Subject: Re: X11R6 NetBSD Security Problem
This patch looks pretty good. (Much better than the current situatiuon!!!)
A few comments:
On Fri, 26 Mar 1999, Matthieu Herrb wrote:
> + if (errno == EEXIST) {
> + if (stat(path, &buf) != 0) {
This should be lstat().
> + if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) {
> + return 0;
> + }
> + }
I think you'll want to check the owner of the directory, too.
- Kevin Vajk
<[email protected]>
-----------------------------------------------------------------------------
Date: Wed, 31 Mar 1999 11:12:52 -0600
From: Patrick J. Volkerding <[email protected]>
To: [email protected]
Subject: XFree86 security problem
On Mon, 29 Mar 1999, Domas Mituzas wrote:
> why is RedHat delaying release of this package
> as it smells like root takeover (it was too easy
> to change /etc/ and /etc/passwd permissions to
> something neat).
>
> [...]
>
> This is cross-platform bug, as I found it in
> all OS that run XFree86 3.3.3 server. As far as
> I know it is on every Linux distribution (especially
> newest ones) and BSD's.
Before flying off the handle at Red Hat, you might consider that quite
possibly they aren't vulnerable to this problem. As far as I can tell, if
the system ships with a /tmp/.X11-unix/ directory already in place, and
none of the system scripts delete it, then there's no security problem
since nobody can put a rogue symlink at that location in /tmp.
I know Slackware Linux isn't vulnerable to this problem, and never was,
and I don't think we're the only ones to ship a Linux OS that provides a
pre-existing /tmp/.X11-unix/.
--
Patrick J. Volkerding
Slackware Linux Project
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4