From owner-freebsd-security Sun Jan 28 19:52: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id C16AC37B402 for ; Sun, 28 Jan 2001 19:51:40 -0800 (PST) Received: (qmail 29696 invoked by uid 0); 29 Jan 2001 03:50:44 -0000 Received: from p3ee21533.dip.t-dialin.net (HELO forge.local) (62.226.21.51) by mail.gmx.net (mp011-rz3) with SMTP; 29 Jan 2001 03:50:44 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14N5LY-0001Vz-00; Mon, 29 Jan 2001 04:51:16 +0100 Date: Mon, 29 Jan 2001 04:51:16 +0100 To: freebsd-security@freebsd.org Cc: XFree86@xfree86.org Subject: Obscure security hole in XFree86 when used with Xwrapper Message-ID: <20010129045116.A5564@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-security@freebsd.org, XFree86@xfree86.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i From: Thomas Moestl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (for the XFree86 people, PR references etc. are for FreeBSD) Hi, to quote from PR ports/24705 (by Sebastian Reinert): All you need to reproduce this problem is a current version of Xwrapper with x-right, [...] and a self-written script called .xserverrc, that contains following phrase: exec Xwrapper $dspnum &args It is _very important_ that you use an "&" instead of "$" in front of "args"! After all, you configurate your script with the typical rights (e.g. "777"), execute "startx" (you will have x-right for it by default), and the systems shuts down its daemons. By the way: You do not need root-rights... I have looked into this one, and the following code seems to be the flaw (from xc/programs/Xserver/os/connection.c): /* * Magic: If SIGUSR1 was set to SIG_IGN when * the server started, assume that either * * a- The parent process is ignoring SIGUSR1 * * or * * b- The parent process is expecting a SIGUSR1 * when the server is ready to accept connections * * In the first case, the signal will be harmless, * in the second case, the signal will be quite * useful */ #if !defined(WIN32) && !defined(__CYGWIN__) if (OsSignal (SIGUSR1, SIG_IGN) == SIG_IGN) RunFromSmartParent = TRUE; ParentProcess = getppid (); if (RunFromSmartParent) { if (ParentProcess > 0) { kill (ParentProcess, SIGUSR1); } } #endif Now, if the parent process has exited (as happens when Xwrapper or Xfree86 is put to background in the .xserverrc), the SIGUSR1 will go to init (because the process was reparented when the parent exited). This will cause the machine to halt (with FreeBSD init; with other init implementations this may differ). When the Xwrapper is installed, this amounts to a local DoS. The easiest fix would just be: ------------------------------------------------------------------------ *** xc/programs/Xserver/os/connection.c.orig Mon Jan 29 04:16:54 2001 --- xc/programs/Xserver/os/connection.c Mon Jan 29 04:08:32 2001 *************** *** 408,414 **** RunFromSmartParent = TRUE; ParentProcess = getppid (); if (RunFromSmartParent) { ! if (ParentProcess > 0) { kill (ParentProcess, SIGUSR1); } } --- 408,414 ---- RunFromSmartParent = TRUE; ParentProcess = getppid (); if (RunFromSmartParent) { ! if (ParentProcess > 1) { kill (ParentProcess, SIGUSR1); } } ------------------------------------------------------------------------ I think that this should suffice. Any comments? - thomas P.S: please trim CC list when answering. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message