[43] in Best-of-Security
BoS: libX11
daemon@ATHENA.MIT.EDU (Dop Ganger)
Tue Feb 25 10:50:03 1997
Date: Tue, 25 Feb 1997 02:28:11 -0600 (CST)
From: Dop Ganger <Dop@dial.pipex.com>
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
>Return-Path: <owner-bugtraq@NETSPACE.ORG>
>Approved-By: aleph1@UNDERGROUND.ORG
>Date: Mon, 24 Feb 1997 16:06:43 -0700
>Reply-To: David Sacerdote <davids@SECNET.COM>
>Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
>From: David Sacerdote <davids@SECNET.COM>
>Subject: libX11
>To: BUGTRAQ@NETSPACE.ORG
>
> ###### ## ## ######
> ## ### ## ##
> ###### ## # ## ##
> ## ## ### ##
> ###### . ## ## . ######.
>
> Secure Networks Inc.
>
> Security Advisory
> February 24, 1997
>
> Environment Variable Problems in X11
>
>
>While examining the differences between X11R6.1 and X11R6.3, it has come to
>our attention that a number of serious security problems in libX11 were fixed
>between releases. These problems permit unprivileged users to obtain elevated
>access, including group sys, group kmem, and root privileges, depending on the
>operating system and the X11 release. Administrators should be aware that
>these problems are actively being exploited, and should take the precautions
>outlined below to ensure they are not susceptible to these problems.
>
>
>Technical Details
>~~~~~~~~~~~~~~~~~
>
>In X11R6.1 and earlier, there are many places where libX11 looks at
>environment variables, and then performs string operations on them. X11R6.1
>and earlier, however, perform no bounds checking when doing these string
>operations. Setuid and setgid programs which use functions provided by libX11
>may allow users to obtain elevated privileges.
>
>One of the many examples of flawed code in X11R6.1, in this case from
>GetDflt.c reads:
>
>if (ptr = getenv("HOME"))
> (void) strcpy(dest, ptr);
>
>While the corrected code for this particular exammple in X11R6.3 reads:
>
>if (ptr = getenv("HOME")) {
> (void) strncpy(dest, ptr, len);
> dest[len-1] = '\0';
>
>Note that this code correctly adds a null character at the end of the
>string after the strncpy.
>
>
>Impact
>~~~~~~
>Depending on platform and X11 release, individuals with shell access can
>obtain elevated access, including group sys, group kmem, and root
>privileges.
>
>
>Vulnerable Systems
>~~~~~~~~~~~~~~~~~~
>Any system which is running X11R6.1 or earlier, and has at least one setuid or
>setgid program which uses libX11 is vulnerable.
>
>You can perform a simple test to determine whether your system is vulnerable.
>First, set the HOME environment variable to a string at least 2500 characters
>long. Using a sh compatible shell, do this by issuing the commands:
>
>$ HOME=jjjjjjj...jjjjj (2500 repititions of 'j')
>$ export HOME
>
>Using csh or tcsh, use the command:
>
>% setenv HOME jjjjj...jjjjjjj (2500 repititions of 'j')
>
>Then, run a setuid or setgid X program, such as xload. If you are running a
>vulnerable release of X11, you will get an error message including either the
>words "Segmentation Fault" or "Bus error." If the words "Segmentation Fault"
>and "Bus Error" do not appear, and the program operates correctly, you are not
>vulnerable to this problem.
>
>Be aware that if you use a string much shorter than 2500 characters, this test
>will not produce meaningful results, because the length of the buffer in
>question is 2048 characters. Also, if your DISPLAY environment variable does
>not point to a display which you have authorization to connect to, the test
>will not be able to connect to a valid display and therefore will not work.
>
>
>Fix Information
>~~~~~~~~~~~~~~~
>To fix these problems without loss of functionality, upgrade to the current
>release of X11. You can obtain X11R6.3 by referring to
>http://www.x.org/consortium/GettingX.html
>
>As an alternative workaround, administrators may want to remove setuid and
>setgid bits from vulnerable programs. To find all setuid and setgid programs,
>in the X11 distribution, the following command can be executed:
>
>% cd /usr/X11/bin
>% find . \( -perm -02000 -o -perm -04000 \) -exec ls -l {} \;
>% find . \( -perm -02000 -o -perm -04000 \) -exec chmod ug-s {} \;
>
>Remember to perform the same command if you wish to remove permissions from
>programs stored in other system directories. Keep in mind that that the
>use of this workaround will result in reduced functionality for non-root
>users.
>
>
>Additional Information
>~~~~~~~~~~~~~~~~~~~~~~
>
>If you have any questions about this advisory, feel free to contact me,
>David Sacerdote, at davids@secnet.com. If you should wish to encrypt
>traffic for me, my pgp key is:
>
>-----BEGIN PGP PUBLIC KEY BLOCK-----
>Version: 2.6.2
>
>mQCNAzJ4qJAAAAEEAOgB7mooQ6NgzcUSIehKUufGsyojutC7phVXZ+p8FnHLLZNB
>BLQEtj5kmfww2A2pR29q4rgPeqEUOjWPlLNdSLby3NI8yKz1AQSQLHAwIDXt/lku
>8QXClaV6pNIaQSN8cnyyvjH6TYF778yZhYz0mwLqW6dU5whHtP93ojDw1UhtAAUR
>tCtEYXZpZCBTYWNlcmRvdGUgPGRhdmlkc0BzaWxlbmNlLnNlY25ldC5jb20+
>=LtL9
>-----END PGP PUBLIC KEY BLOCK-----
>
>Many thanks to the unknown individual who undertook to fix this set
>of holes in the final days of the X Consortium.
>
>Additional information about the X Windowing System can be found at
>http://www.x.org
>
>You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
>and advisories at ftp://ftp.secnet.com/advisories
>
>You can browse our web site at http://www.secnet.com
>
>You can subscribe to our security advisory mailing list by sending mail to
>majordomo@secnet.com with the line "subscribe sni-advisories" in the body of
>the message.
>
>
>Copyright Notice
>~~~~~~~~~~~~~~~~
>The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
>and may be distributed freely provided that no fee is charged for
>distribution, and that proper credit is given.
>