BugTraq
[CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0 Mar 20 2006 02:00PM
Daniel Stone (daniel fooishbar org) (3 replies)
Re: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0 Mar 23 2006 05:31PM
Kyle Sallee (kyle sallee gmail com)
Is xorg-server-X11R7.0-1.0.1.tar.bz2 also vulnerable.
Will patches for Xservers not be placed in?
ftp://ftp.x.org/pub/X11R7.0/patches/

On 3/20/06, Daniel Stone <daniel (at) fooishbar (dot) org [email concealed]> wrote:
> X.Org Security Advisory, March 20th 2006
> Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
> and X11R7.0
> CVE-ID: CVE-2006-0745
>
>
> Overview:
>
> During the analysis of results from the Coverity code review of X.Org,
> we discovered a flaw in the server that allows local users to execute
> arbitrary code with root privileges, or cause a denial of service by
> overwriting files on the system, again with root privileges.
>
>
> Vulnerability details:
>
> When parsing arguments, the server takes care to check that only root
> can pass the options -modulepath, which determines the location to load
> many modules providing server functionality from, and -logfile, which
> determines the location of the logfile. Normally, these locations
> cannot be changed by unprivileged users.
>
> This test was changed to test the effective UID as well as the real UID
> in X.Org. The test is defective in that it tested the address of the
> geteuid function, not the result of the function itself. As a result,
> given that the address of geteuid() is always non-zero, an unpriviliged
> user can load modules from any location on the filesystem with root
> privileges, or overwrite critical system files with the server log.
>
>
> Affected versions:
>
> xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
> of X11R7.0, is vulnerable.
> X11R6.9.0, and all release candidates, are vulnerable.
> X11R6.8.2 and earlier versions are not vulnerable.
>
> To check which version you have, run Xorg -version:
> % Xorg -version
> X Window System Version 7.0.0
> Release Date: 21 December 2005
> X Protocol Version 11, Revision 0, Release 7.0
> [...]
>
>
> Fix:
>
> Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
> X11R7 tree:
> 80db6a3ab76334061ec6102e74ef5607 xorg-server-1.0.1-geteuid.diff
> 44b44fa3efc63697eefadc7c2a1bfa50a35eec91 xorg-server-1.0.1-geteuid.diff
> http://xorg.freedesktop.org/releases/X11R7.0/patches/
>
> Alternately, xorg-server 1.0.2 has been released with this and other
> code fixes:
> 5cd3316f07ed32a05cbd69e73a71bc74 xorg-server-1.0.2.tar.bz2
> b2257e984c5111093ca80f1f63a7a9befa20b6c0 xorg-server-1.0.2.tar.bz2
> f44f0f07136791ed7a4028bd0dd5eae3 xorg-server-1.0.2.tar.gz
> 3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3 xorg-server-1.0.2.tar.gz
> http://xorg.freedesktop.org/releases/individual/xserver/
>
> Apply the patch below to the X.Org server as distributed with X11R6.9:
> de85e59b8906f76a52ec9162ec6c0b63 x11r6.9.0-geteuid.diff
> f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860 x11r6.9.0-geteuid.diff
> http://xorg.freedesktop.org/releases/X11R6.9.0/patches/
>
>
> Thanks:
>
> We would like to thank Coverity for the use of their Prevent code audit
> tool, which discovered this particular flaw.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFEHrWaRkzMgPKxYGwRAqz8AJ4mIc6kr2tyPcevMGWwIKYCegL/RwCfY7cw
> DuNqH3vnHXhjQIxZdxtECig=
> =vLGw
> -----END PGP SIGNATURE-----
>
>
>

[ reply ]
Re: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0 Mar 22 2006 08:16AM
Alan Coopersmith (alanc alum calberkeley org)


 

Privacy Statement
Copyright 2010, SecurityFocus