CERT/CC Vulnerability Note VU#837857

Overview

A vulnerability in the X.Org server could allow a local attacker to gain administrative privileges or cause a denial of service on an affected system.

Description

The X.Org server program provides several command-line options that are meant to be parsed only when the program is running as root. These include -modulepath, which specifies the location from which to load modules providing server functionality, and -logfile, which specifies the location of the server log file. Normally, these options cannot be changed by unprivileged users.

A flaw exists in the way that the server enforces this restriction because it evaluates the address of the geteuid function instead of the result of executing the function (i.e., "geteuid" versus "geteuid()"). This test is flawed because the address of geteuid is guaranteed to be nonzero. As a result, an unprivileged user can load modules from any location on the file system with root privileges or overwrite critical system files with the server log.

Impact

If the X.Org server program is setuid to root, as is typically the case, an authenticated local attacker can execute code or overwrite system files with administrative privileges on an affected system.

Solution

Apply a patch from the vendor

Patches have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Users who compile the X.Org server from source code or obtain binary releases directly from X.Org are encouraged to take the actions specified in the corresponding X.Org Security Advisory.

Vendor Information

837857

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Fedora Project Affected

Mandriva, Inc. Affected

SUSE Linux Affected

Sun Microsystems, Inc. Affected

X.org Foundation Affected

Updated: July 24, 2006

Statement Date: March 20, 2006

Status

Affected

Vendor Statement

X.Org Security Advisory, March 20th 2006 Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0 and X11R7.0 CVE-ID: CVE-2006-0745 Overview: During the analysis of results from the Coverity code review of X.Org, we discovered a flaw in the server that allows local users to execute arbitrary code with root privileges, or cause a denial of service by overwriting files on the system, again with root privileges. Vulnerability details: When parsing arguments, the server takes care to check that only root can pass the options -modulepath, which determines the location to load many modules providing server functionality from, and -logfile, which determines the location of the logfile. Normally, these locations cannot be changed by unprivileged users. This test was changed to test the effective UID as well as the real UID in X.Org. The test is defective in that it tested the address of the geteuid function, not the result of the function itself. As a result, given that the address of geteuid() is always non-zero, an unpriviliged user can load modules from any location on the filesystem with root privileges, or overwrite critical system files with the server log. Affected versions: xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates of X11R7.0, is vulnerable. X11R6.9.0, and all release candidates, are vulnerable. X11R6.8.2 and earlier versions are not vulnerable. To check which version you have, run Xorg -version: % Xorg -version X Window System Version 7.0.0 Release Date: 21 December 2005 X Protocol Version 11, Revision 0, Release 7.0 [...] Fix: Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular X11R7 tree: 80db6a3ab76334061ec6102e74ef5607 xorg-server-1.0.1-geteuid.diff 44b44fa3efc63697eefadc7c2a1bfa50a35eec91 xorg-server-1.0.1-geteuid.diffhttp://xorg.freedesktop.org/releases/X11R7.0/patches/Alternately, xorg-server 1.0.2 has been released with this and other code fixes: 5cd3316f07ed32a05cbd69e73a71bc74 xorg-server-1.0.2.tar.bz2 b2257e984c5111093ca80f1f63a7a9befa20b6c0 xorg-server-1.0.2.tar.bz2 f44f0f07136791ed7a4028bd0dd5eae3 xorg-server-1.0.2.tar.gz 3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3 xorg-server-1.0.2.tar.gzhttp://xorg.freedesktop.org/releases/individual/xserver/Apply the patch below to the X.Org server as distributed with X11R6.9: de85e59b8906f76a52ec9162ec6c0b63 x11r6.9.0-geteuid.diff f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860 x11r6.9.0-geteuid.diffhttp://xorg.freedesktop.org/releases/X11R6.9.0/patches/Thanks: We would like to thank Coverity for the use of their Prevent code audit tool, which discovered this particular flaw.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Coverity with discovering and reporting this vulnerability to them.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2006-0745
Severity Metric:	18.44
Date Public:	2006-03-20
Date First Published:	2006-08-16
Date Last Updated:	2009-11-20 19:16 UTC
Document Revision:	17

Software Engineering Institute

CERT Coordination Center

X.Org server fails to properly test for effective user ID

Vulnerability Note VU#837857

Overview

Description

Impact

Solution

Vendor Information

Fedora Project Affected

Status

Vendor Statement

Vendor Information

Addendum

Mandriva, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

SUSE Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

Sun Microsystems, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

X.org Foundation Affected

Status

Vendor Statement

Vendor Information

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC