Possible security hole in X: Re: Xserver stack smashed -- wrapper
I sent this 3 days ago to security@debian.org and have heard nothing
back. Do I need to file a bug report?
John Goerzen <jgoerzen@southwind.net> writes:
> Pavel,
>
> Thanks for the information. I am forwarding your message to Debian's
> security team.
>
> Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> writes:
>
> > On Wed, 21 Jan 1998, John Goerzen wrote:
> >
> > > A short time ago, there was some talk about various wrappers around
> > > the X server, and I pointed out that Debian already has one better
> > > than the example posted. Since then, I have received requests to post
> > > Debian's wrapper source.
> >
> > Unfortunately, this wrapper has two serious flaws:
> >
> > > case Console:
> > > if (fstat(0,&s)!=0) {
> > > fprintf(stderr,"X: cannot stat stdin\n");
> > > return FALSE;
> > > }
> > > if (S_ISCHR(s.st_mode) && ((s.st_rdev>>8)&0xff)==VT_MAJOR_DEV &&
> > > (s.st_rdev&0xff)<128) {
> > > return TRUE;
> > > }
> > > break;
> >
> > First flaw: it is quite easy to fool this check. In many cases, it is
> > possible to find a world writable vc entry in /dev (yes, this is a kind
> > of configuration error but AFAIK Debian itself ships with a load of world
> > writable /dev/tty[0-9]*'s) and do this:
> >
> > int
> > main()
> > {
> > close(0);
> > open("/dev/tty0", O_WRONLY);
> > execlp("xserver-wrapper", "xserver-wrapper", 0);
> > }
> >
> > IMHO, /var/run/utmp ought to be consulted
> >
> > > for (i = 1; i < argc; i++) {
> > > if (!strcmp(argv[i], "-config")) {
> > > if (setuid(getuid())) {
> > > perror("X couldn't drop setuid privileges for alternate config");
> > > exit(1);
> > > }
> > > break;
> > > }
> > > }
> > > execv(xserver,argv);
> >
> > Second flaw: not paranoid enough when checking the arguments.
> > It should test whether arguments are _allowed_ and their parameters
> > have _sane_ values.
> >
> >
> > --Pavel Kankovsky aka Peak (troja.mff.cuni.cz network administration)
> > [ Boycott Microsoft -- http://www.vcnet.com/bms ]
> >
>
> --
> John Goerzen
> Southwind Internet Access, Inc,
> Business e-mail: jgoerzen@southwind.net
>
> Personal e-mail: jgoerzen@complete.org
> Wichita State University e-mail: jgoerzen@cs.twsu.edu
> Developer, Debian GNU/Linux <http://www.debian.org>
>
>
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-private-request@lists.debian.org .
> Trouble? e-mail to templin@bucknell.edu .
>
--
John Goerzen | Developing for Debian GNU/Linux (www.debian.org)
Custom Programming | Debian GNU/Linux is a free replacement for
jgoerzen@complete.org | DOS/Windows -- check it out at www.debian.org.
----------------------+----------------------------------------------
Find out how to avoid all those pesky crashes, lockups, application errors,
and slow applications at http://www.debian.org -- Debian can replace Windows
95 with a much more stable operating system.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-qa-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: