Date: Mon, 29 Jan 2001 04:51:16 +0100 From: Thomas Moestl <tmoestl@gmx.net> To: freebsd-security@freebsd.org Cc: XFree86@xfree86.org Subject: Obscure security hole in XFree86 when used with Xwrapper Message-ID: <20010129045116.A5564@crow.dom2ip.de>
next in thread | raw e-mail | index | archive | help
(for the XFree86 people, PR references etc. are for FreeBSD)
Hi,
to quote from PR ports/24705 (by Sebastian Reinert):
All you need to reproduce this problem is a current version of
Xwrapper with x-right, [...] and a
self-written script called .xserverrc, that contains following
phrase:
exec Xwrapper $dspnum &args
It is _very important_ that you use an "&" instead of "$" in front
of "args"!
After all, you configurate your script with the typical rights (e.g.
"777"), execute "startx" (you will have x-right for it by
default), and the systems shuts down its daemons.
By the way: You do not need root-rights...
I have looked into this one, and the following code seems to be the
flaw (from xc/programs/Xserver/os/connection.c):
/*
* Magic: If SIGUSR1 was set to SIG_IGN when
* the server started, assume that either
*
* a- The parent process is ignoring SIGUSR1
*
* or
*
* b- The parent process is expecting a SIGUSR1
* when the server is ready to accept connections
*
* In the first case, the signal will be harmless,
* in the second case, the signal will be quite
* useful
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (OsSignal (SIGUSR1, SIG_IGN) == SIG_IGN)
RunFromSmartParent = TRUE;
ParentProcess = getppid ();
if (RunFromSmartParent) {
if (ParentProcess > 0) {
kill (ParentProcess, SIGUSR1);
}
}
#endif
Now, if the parent process has exited (as happens when Xwrapper or
Xfree86 is put to background in the .xserverrc), the SIGUSR1 will go to
init (because the process was reparented when the parent exited).
This will cause the machine to halt (with FreeBSD init; with other init
implementations this may differ).
When the Xwrapper is installed, this amounts to a local DoS.
The easiest fix would just be:
------------------------------------------------------------------------
*** xc/programs/Xserver/os/connection.c.orig Mon Jan 29 04:16:54 2001
--- xc/programs/Xserver/os/connection.c Mon Jan 29 04:08:32 2001
***************
*** 408,414 ****
RunFromSmartParent = TRUE;
ParentProcess = getppid ();
if (RunFromSmartParent) {
! if (ParentProcess > 0) {
kill (ParentProcess, SIGUSR1);
}
}
--- 408,414 ----
RunFromSmartParent = TRUE;
ParentProcess = getppid ();
if (RunFromSmartParent) {
! if (ParentProcess > 1) {
kill (ParentProcess, SIGUSR1);
}
}
------------------------------------------------------------------------
I think that this should suffice.
Any comments?
- thomas
P.S: please trim CC list when answering.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010129045116.A5564>