[600] in linux-security and linux-alert archive
Re: XFree86 3.1.2 Security Problems
daemon@ATHENA.MIT.EDU (Bruno Van Wilder)
Fri Feb 2 17:36:19 1996
Date: Mon, 29 Jan 1996 23:15:26 +0000 (GMT)
From: Bruno Van Wilder <bvwilder@y.cs.rhbnc.ac.uk>
To: David J Meltzer <davem+@andrew.cmu.edu>
cc: bugtraq@crimelab.com, best-of-security@suburbia.net,
linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu,
report@XFree86.org
In-Reply-To: <sl35Uye00iWQ48j7Jj@andrew.cmu.edu>
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 29 Jan 1996, David J Meltzer wrote:
> There are security holes in XFree86 3.1.2, which installs its servers
> as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files,
> it does not take proper precautions to ensure that file permissions are
> maintained, resulting in the ability to overwrite files, and to read
> limited portions of other files.
[...]
> Temporary Patch: chmod o-x /usr/X11R6/bin/XF86*
This patch is not only very hard to realise on systems that need X, it is
also insufficient; if xdm is used, the hole can still be exploited with
the above patch installed.
While waiting for a patched X server, I have patched the binary image of my
own XF86 server, so that the lock lives in a non-user-writeable directory. I
know, binary patching _is_ dirty, but the other fix is to disable X as far
as we know. This is my little program:
- ----------------------------binpatch.c----------------------------------
#include<stdio.h>
main()
{
char c[3];
c[0]=getchar();
c[1]=getchar();
c[2]=getchar();
do
{
if ((c[0]=='t')&&(c[1]=='m')&&(c[2]=='p')) putchar('X');
else putchar(c[0]);
c[0]=c[1];
c[1]=c[2];
c[2]=getchar();
} while(!feof(stdin));
putchar(c[0]);
putchar(c[1]);
}
- -----------------------------------------------------------------------
This program needs to be compiled and applied as a filter to your X server:
$ binpatch <XF86_SVGA >XF86_SVGA.new
(or whatever X server you may be using)
Replace your old X by the new one, keeping a copy of the old one. Do not
forget to install it suid-root if users need to use startx (ie. if you are
not using xdm).
Two other things will need to be done:
$ mkdir /Xmp
$ ln -s /Xmp/.X11-unix /tmp/.X11-unix
(because the libs refer to that subdir)
- From now on, the lock and the socket will be placed under the subdirectory
/Xmp, which should not be world-writeable. The symlink in /tmp is
necessary because the libraries refer to that directory to access the X
socket.
This works for my own X-server; I hope it works for others.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: PGP Signed with PineSign 2.0
iQB1AwUBMQ1U6hPbz9VMa6MtAQHq7gMAwFb1PItybsLDMUVxB5OUUUtl0QPuKJ69
nqOntNbLvOFsAGfkr61urr4rGFQfbXjkxo39fEhCVPebrhBCl4SpbQSgij11jp7i
CT8v1wlYOrIJsUsgFYKcu+Q1uLOjuv5+
=v3pD
-----END PGP SIGNATURE-----
Greetings,
Bruno
--
Bruno Van Wilder Royal Holloway, University of London
main(int n,char**a){for(n=0;putchar(a[2][n]?(a[2][n]%32+(**a%2*2-1)*
(a[1][n++%(a[2]-a[1]-1)]%32-1)+25)%26+97:10)-10;);}
(Vigenere encryption/decryption)
