SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   X Vendors:   X.org
X.Org Server '-modulepath' and '-logfile' Parameter Privilege Validation Error Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1015793
SecurityTracker URL:  http://securitytracker.com/id/1015793
CVE Reference:   CVE-2006-0745   (Links to External Site)
Date:  Mar 20 2006
Impact:   Execution of arbitrary code via local system, Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): X.Org server 1.0.0 and later; also X11R6.9.0 and X11R7.0
Description:   A vulnerability was reported in X.Org server. A local user can gain elevated privileges.

The server does not correctly validate a user's privileges when parsing the '-modulepath' and '-logfile' options. A local user can supply a specially crafted value to cause the server to load arbitrary code from the system and execute the code with root privileges or to overwrite arbitrary files with the system log.

X11R6.8.2 and prior versions are not affected.

The vendor credits the Coverity Prevent code audit tool with discovering this vulnerability.

Impact:   A local user can gain root privileges.
Solution:   The vendor has issued the following patches [quoted]:

Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
X11R7 tree:

80db6a3ab76334061ec6102e74ef5607 xorg-server-1.0.1-geteuid.diff
44b44fa3efc63697eefadc7c2a1bfa50a35eec91 xorg-server-1.0.1-geteuid.diff

http://xorg.freedesktop.org/releases/X11R7.0/patches/

Alternately, xorg-server 1.0.2 has been released with this and other
code fixes:

5cd3316f07ed32a05cbd69e73a71bc74 xorg-server-1.0.2.tar.bz2
b2257e984c5111093ca80f1f63a7a9befa20b6c0 xorg-server-1.0.2.tar.bz2
f44f0f07136791ed7a4028bd0dd5eae3 xorg-server-1.0.2.tar.gz
3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3 xorg-server-1.0.2.tar.gz

http://xorg.freedesktop.org/releases/individual/xserver/

Apply the patch below to the X.Org server as distributed with X11R6.9:
de85e59b8906f76a52ec9162ec6c0b63 x11r6.9.0-geteuid.diff
f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860 x11r6.9.0-geteuid.diff

http://xorg.freedesktop.org/releases/X11R6.9.0/patches/

Vendor URL:  www.x.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 21 2006 (Sun Issues Fix) X.Org Server '-modulepath' and '-logfile' Parameter Privilege Validation Error Lets Local Users Gain Root Privileges
Sun has issued a fix for Solaris 10 x86.



 Source Message Contents

Subject:  [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS


--+g7M9IMkV8truYOl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

X.Org Security Advisory, March 20th 2006
Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
and X11R7.0
CVE-ID: CVE-2006-0745


Overview:

During the analysis of results from the Coverity code review of X.Org,
we discovered a flaw in the server that allows local users to execute
arbitrary code with root privileges, or cause a denial of service by
overwriting files on the system, again with root privileges.


Vulnerability details:

When parsing arguments, the server takes care to check that only root
can pass the options -modulepath, which determines the location to load
many modules providing server functionality from, and -logfile, which
determines the location of the logfile.  Normally, these locations
cannot be changed by unprivileged users.

This test was changed to test the effective UID as well as the real UID
in X.Org.  The test is defective in that it tested the address of the
geteuid function, not the result of the function itself.  As a result,
given that the address of geteuid() is always non-zero, an unpriviliged
user can load modules from any location on the filesystem with root
privileges, or overwrite critical system files with the server log.


Affected versions:

xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
of X11R7.0, is vulnerable.
X11R6.9.0, and all release candidates, are vulnerable.
X11R6.8.2 and earlier versions are not vulnerable.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[...]


Fix:

Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
X11R7 tree:
80db6a3ab76334061ec6102e74ef5607          xorg-server-1.0.1-geteuid.diff
44b44fa3efc63697eefadc7c2a1bfa50a35eec91  xorg-server-1.0.1-geteuid.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/

Alternately, xorg-server 1.0.2 has been released with this and other
code fixes:
5cd3316f07ed32a05cbd69e73a71bc74          xorg-server-1.0.2.tar.bz2
b2257e984c5111093ca80f1f63a7a9befa20b6c0  xorg-server-1.0.2.tar.bz2
f44f0f07136791ed7a4028bd0dd5eae3          xorg-server-1.0.2.tar.gz
3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3  xorg-server-1.0.2.tar.gz
http://xorg.freedesktop.org/releases/individual/xserver/

Apply the patch below to the X.Org server as distributed with X11R6.9:
de85e59b8906f76a52ec9162ec6c0b63          x11r6.9.0-geteuid.diff
f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860  x11r6.9.0-geteuid.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/


Thanks:

We would like to thank Coverity for the use of their Prevent code audit
tool, which discovered this particular flaw.

--+g7M9IMkV8truYOl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEHrWaRkzMgPKxYGwRAqz8AJ4mIc6kr2tyPcevMGWwIKYCegL/RwCfY7cw
DuNqH3vnHXhjQIxZdxtECig=
=vLGw
-----END PGP SIGNATURE-----

--+g7M9IMkV8truYOl--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC