Bug#652249: bypass default security level of the X wrapper
On Thu, Dec 15, 2011 at 19:02:36 +0100, vladz wrote:
>
> Package: xserver-xorg
> Version: 1:7.5+8
> Severity: important
> Tags: security
>
>
> By default, the wrapper's configuration file only allows any user whose
> controlling TTY (console) to start the X server with root privileges:
>
> # cat /etc/X11/Xwrapper.config
> [...]
> allowed_users=console
>
> To determine if a user is controlling a TTY, the code checks the
> properties of the file connected to its standard input:
>
> $ cat -n debian/local/xserver-wrapper.c
> [...]
> 152 static int
> 153 onConsole()
> 154 {
> 155 #if defined(__linux__)
> 156 struct stat s;
> 157
> 158 /* see if stdin is a virtual console device */
> 159 if (fstat(0, &s) != 0) {
> 160 (void) fprintf(stderr, "X: cannot stat stdin\n");
> 161 return FALSE;
> 162 }
> 163 if (S_ISCHR(s.st_mode) &&
> 164 ((((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
> 165 (s.st_rdev & 0xff) < 64) ||
> 166 (((s.st_rdev >> 8) & 0xff) == ALT_TTY_MAJOR_DEV &&
> 167 (s.st_rdev & 0xff) < 64)
> 168 )) {
> 169 return TRUE;
> 170 }
>
> As seen, this is done by checking if this file:
>
> - is a character device [line 163]
> - has a TTY-specific major number (TTY_MAJOR_DEV or ALT_TTY_MAJOR_DEV,
> respectively 4 or 5) [lines 164, 166]
> - has a minor number lower than 64 [lines 165, 167]
>
> Unfortunately, by connecting a file with similar properties to its
> stdin, a user can mislead the X wrapper and launch the X server. This
> file also needs to be readable by the user.
>
> For instance, files "/dev/tty" and "/dev/ptmx" match those conditions:
>
> $ ls -l /dev/tty /dev/ptmx
> crw-rw-rw- 1 root root 5, 2 14 déc. 18:43 /dev/ptmx
> crw-rw-rw- 1 root root 5, 0 12 déc. 23:03 /dev/tty
>
> Here is a quick PoC by using "/dev/tty":
>
> $ ssh remote_host
> $ id
> uid=1000(vladz) gid=1000(vladz) groups=1000(vladz)
> $ tty
> /dev/pts/4 // not a TTY, won't have sufficient permissions to start X
> $ X :1
> X: user not authorized to run the X server, aborting.
>
> // This was the expected result, now lets connect "/dev/tty" to stdin and
> // retry...
>
> $ exec 0</dev/tty; X :1; exec 0</dev/pts/4
> [... Xorg starts ...] // start succeed!
>
> This being said, this is a minor issue, but the attack against
> CVE-2011-4029[1] which allows to set the read permission on any arbitrary
> file, can now be launched from remote sessions and not even from a TTY. It
> become urgent to fix it.
>
Seems like we should revert the change accepting major 5 for stdin?
Cheers,
Julien
Reply to: