[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#652249: marked as done (bypass default security level of the X wrapper)

Your message dated Thu, 15 Dec 2011 23:03:21 +0000
with message-id <E1RbKKf-0001Xj-IW@franck.debian.org>
and subject line Bug#652249: fixed in xorg 1:7.6+10
has caused the Debian Bug report #652249,
regarding bypass default security level of the X wrapper
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
652249: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652249
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: xserver-xorg
Version: 1:7.5+8
Severity: important
Tags: security


By default, the wrapper's configuration file only allows any user whose
controlling TTY (console) to start the X server with root privileges: 

  # cat /etc/X11/Xwrapper.config
  [...]
  allowed_users=console

To determine if a user is controlling a TTY, the code checks the
properties of the file connected to its standard input:

  $ cat -n debian/local/xserver-wrapper.c
  [...]
  152 static int
  153 onConsole()
  154 {
  155 #if defined(__linux__)
  156   struct stat s;
  157
  158   /* see if stdin is a virtual console device */
  159   if (fstat(0, &s) != 0) {
  160     (void) fprintf(stderr, "X: cannot stat stdin\n");
  161     return FALSE;
  162   }
  163   if (S_ISCHR(s.st_mode) &&
  164         ((((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
  165           (s.st_rdev & 0xff) < 64) ||
  166         (((s.st_rdev >> 8) & 0xff) == ALT_TTY_MAJOR_DEV &&
  167           (s.st_rdev & 0xff) < 64)
  168         )) {
  169     return TRUE;
  170   }

As seen, this is done by checking if this file:

  - is a character device [line 163]
  - has a TTY-specific major number (TTY_MAJOR_DEV or ALT_TTY_MAJOR_DEV,
    respectively 4 or 5) [lines 164, 166]
  - has a minor number lower than 64 [lines 165, 167]

Unfortunately, by connecting a file with similar properties to its
stdin, a user can mislead the X wrapper and launch the X server.  This
file also needs to be readable by the user.

For instance, files "/dev/tty" and "/dev/ptmx" match those conditions:

  $ ls -l /dev/tty /dev/ptmx
  crw-rw-rw- 1 root root 5, 2 14 déc.  18:43 /dev/ptmx
  crw-rw-rw- 1 root root 5, 0 12 déc.  23:03 /dev/tty

Here is a quick PoC by using "/dev/tty":

  $ ssh remote_host
  $ id
  uid=1000(vladz) gid=1000(vladz) groups=1000(vladz)
  $ tty
  /dev/pts/4   // not a TTY, won't have sufficient permissions to start X
  $ X :1
  X: user not authorized to run the X server, aborting.

  // This was the expected result, now lets connect "/dev/tty" to stdin and
  // retry...

  $ exec 0</dev/tty; X :1; exec 0</dev/pts/4
  [... Xorg starts ...]    // start succeed!

This being said, this is a minor issue, but the attack against
CVE-2011-4029[1] which allows to set the read permission on any arbitrary
file, can now be launched from remote sessions and not even from a TTY.  It
become urgent to fix it.

  [1] http://security-tracker.debian.org/tracker/CVE-2011-4029

Thanks,
vladz. 

-- 
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu

--- End Message ---
--- Begin Message --- 
Source: xorg
Source-Version: 1:7.6+10

We believe that the bug you reported is fixed in the latest version of
xorg, which is due to be installed in the Debian FTP archive:

x11-common_7.6+10_all.deb
  to main/x/xorg/x11-common_7.6+10_all.deb
xbase-clients_7.6+10_all.deb
  to main/x/xorg/xbase-clients_7.6+10_all.deb
xorg-dev_7.6+10_all.deb
  to main/x/xorg/xorg-dev_7.6+10_all.deb
xorg_7.6+10.dsc
  to main/x/xorg/xorg_7.6+10.dsc
xorg_7.6+10.tar.gz
  to main/x/xorg/xorg_7.6+10.tar.gz
xorg_7.6+10_amd64.deb
  to main/x/xorg/xorg_7.6+10_amd64.deb
xserver-xorg-input-all_7.6+10_amd64.deb
  to main/x/xorg/xserver-xorg-input-all_7.6+10_amd64.deb
xserver-xorg-video-all_7.6+10_amd64.deb
  to main/x/xorg/xserver-xorg-video-all_7.6+10_amd64.deb
xserver-xorg_7.6+10_amd64.deb
  to main/x/xorg/xserver-xorg_7.6+10_amd64.deb
xutils_7.6+10_all.deb
  to main/x/xorg/xutils_7.6+10_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652249@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xorg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 Dec 2011 23:45:48 +0100
Source: xorg
Binary: x11-common xserver-xorg xserver-xorg-video-all xserver-xorg-input-all xorg xorg-dev xbase-clients xutils
Architecture: source all amd64
Version: 1:7.6+10
Distribution: unstable
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 x11-common - X Window System (X.Org) infrastructure
 xbase-clients - miscellaneous X clients - metapackage
 xorg       - X.Org X Window System
 xorg-dev   - X.Org X Window System development libraries
 xserver-xorg - X.Org X server
 xserver-xorg-input-all - X.Org X server -- input driver metapackage
 xserver-xorg-video-all - X.Org X server -- output driver metapackage
 xutils     - X Window System utility programs metapackage
Closes: 652249
Changes: 
 xorg (1:7.6+10) unstable; urgency=high
 .
   * Fixes for xserver-wrapper:
     - when we drop privileges, don't forget to also reset effective group id,
       since we're installed setgid root.
     - revert change to allow devices with major 5 as consoles.  This includes
       things like /dev/tty and /dev/ptmx, which are world-readable (closes:
       #652249).  Thanks to vladz for the report.
     - use major() and minor() macros instead of manually extracting them
   * Build the X wrapper with hardening enabled.
Checksums-Sha1: 
 2196ed48dae6b3e1e72696aae107b539b0ac169e 1957 xorg_7.6+10.dsc
 de885202dfb37d4100a8cd3759d1108fa54e5740 921591 xorg_7.6+10.tar.gz
 98c2cf4894b3cbfde9fe2612dd3989b16e412e13 281478 x11-common_7.6+10_all.deb
 81d698f4b3b323bd103c1fd5207ea9c96879eef6 34776 xorg-dev_7.6+10_all.deb
 e446612478c7fb27c0336146172f53a7a6f2b913 34638 xbase-clients_7.6+10_all.deb
 9c71eff492af5c805d071fe36cfb53a93629139c 34528 xutils_7.6+10_all.deb
 3ff678e1537cef7c5dcb1fdb23e92544fa14b301 111386 xserver-xorg_7.6+10_amd64.deb
 4af8ca6f07c86b1ae3fab07963c341fe0033548a 34606 xserver-xorg-video-all_7.6+10_amd64.deb
 f490a88bb2edad11d9ab66ddb2bbbe5080ffe783 34478 xserver-xorg-input-all_7.6+10_amd64.deb
 c98cb08ac28db1b8ecfb6cbc344624c131cce6ff 35122 xorg_7.6+10_amd64.deb
Checksums-Sha256: 
 5802dace6624fd02624ca98d1191ac0c1de986577da195bc3c25f9359309f945 1957 xorg_7.6+10.dsc
 2123aa5a12f31cc56d12cf67716eb02c02cd8e95793dc6f661f1a3e00d466974 921591 xorg_7.6+10.tar.gz
 fc9fca55f8dc298acbbfa9640d554efc249c2fa4bc71e38885c56afcc9b00123 281478 x11-common_7.6+10_all.deb
 f3e55883b5da0fb381ec18b230040ab19315319c5fe156a9d89520869993afde 34776 xorg-dev_7.6+10_all.deb
 0252457262d8c955377c42ea1dec7d97a4b12e00031151ad28e2cfac9c256b11 34638 xbase-clients_7.6+10_all.deb
 39c3d231240f7d636543f6ebed29861198c32495c29b779e6927dade882bf04e 34528 xutils_7.6+10_all.deb
 e19c64f5b9cb17cb86438da654235b73b7cac3def9540fbe892fd36b1d4d8824 111386 xserver-xorg_7.6+10_amd64.deb
 846298148fc63a1c5ce9aa552192334823c0add046b0b384ef4041da29b93c73 34606 xserver-xorg-video-all_7.6+10_amd64.deb
 b4e2313bcb64437d28337a4bdf0b0402b6dbb76b2014d32fcf9007150a0806bf 34478 xserver-xorg-input-all_7.6+10_amd64.deb
 0a6ac501e7050e66fec8f30d22f16d352321bbf841649899b894c326b01364be 35122 xorg_7.6+10_amd64.deb
Files: 
 ba63e983debfcf60258ee60e1ad79bd0 1957 x11 optional xorg_7.6+10.dsc
 b734930a36f3c79ac96a90b3a7840232 921591 x11 optional xorg_7.6+10.tar.gz
 4d05a329f927f662ef467f3e047e72f3 281478 x11 optional x11-common_7.6+10_all.deb
 1e8056b6b758c17c1c55be14f145b02b 34776 x11 optional xorg-dev_7.6+10_all.deb
 6fa485d19dc0378a1a306dabc7b9ac5c 34638 x11 optional xbase-clients_7.6+10_all.deb
 675ff3dd6dbd9a6c7c32af8203f470de 34528 x11 optional xutils_7.6+10_all.deb
 0afb6dec98541982337d59746c931561 111386 x11 optional xserver-xorg_7.6+10_amd64.deb
 1e8cc78f2054d856209478ef5080d614 34606 x11 optional xserver-xorg-video-all_7.6+10_amd64.deb
 fb7b9678b2af8d14dab4238c1babc587 34478 x11 optional xserver-xorg-input-all_7.6+10_amd64.deb
 f65fd8c47c310ff17db166e8aec31c1d 35122 x11 optional xorg_7.6+10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJO6np8AAoJEDEBgAUJBeQM13kP/j0q1FS+M98AP6VthtnH6D3I
tlArNDIo6KblTtPHltcYLPKsGxc+DoT1pWh4Hsdf59LSsQF53uNUWp3YFL1pgCgX
AmEIGw0JeVzZ1TDyLjh/+lVGWt2GDncvXXMHF4Kfd5YYoVe4VTPxmcgq6Bv/DMHG
8Fuc4xd5fFpret+FuK+rK/yx3pCyZM2A1wrzy45sg7VrIAOnayNsJmvQ3K91eNIE
m9rWCDzgtbyS6nSy7IEVOwQi3b2bVraHOy/wM0BRs0FejJa2wG1cAv7J/0/i8gq2
vXvEO9HsEFK+IsFBKHKUUC3nMI7D6lsm7WjR1dZmR+dmfRTWgJRVBmQp8GuTg4BA
Zf9TnClZld15Nc/rt/vbHk2d3QfPvp1N+W//w818qLl8tte8lJBSYdFzab4+CTa2
46ar5ph3BqnMu2vKXwP3POPDPpP5wrXFBag1qI3F9inVBEgXihj1VuaQEuPZaUfP
R4eYy+K4gt+vUo6w+ekrhLg8pOeBLx2PXqylOYph3uM7RIt8dCv+KBYB40UqlbXa
8R53DKv/H7+p4DXs5/Ty4HfsHPUIMYCaMOSGn/Pwgp0V8CmCEDVxEzZcAfD35xsk
gLkGNxC5RypbqOfD8fowCG87zI6EDQa0SZr5WJ15sD52CUbnajXBoPtii2EMqPGO
kU/Lu2JKXLs/vpAY09uD
=yXZj
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: