search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

X.Org server fails to properly test for effective user ID

Vulnerability Note VU#837857

Original Release Date: 2006-08-16 | Last Revised: 2009-11-20

Overview

A vulnerability in the X.Org server could allow a local attacker to gain administrative privileges or cause a denial of service on an affected system.

Description

The X.Org server program provides several command-line options that are meant to be parsed only when the program is running as root. These include -modulepath, which specifies the location from which to load modules providing server functionality, and -logfile, which specifies the location of the server log file. Normally, these options cannot be changed by unprivileged users.

A flaw exists in the way that the server enforces this restriction because it evaluates the address of the geteuid function instead of the result of executing the function (i.e., "geteuid" versus "geteuid()"). This test is flawed because the address of geteuid is guaranteed to be nonzero. As a result, an unprivileged user can load modules from any location on the file system with root privileges or overwrite critical system files with the server log.

Impact

If the X.Org server program is setuid to root, as is typically the case, an authenticated local attacker can execute code or overwrite system files with administrative privileges on an affected system.

Solution

Apply a patch from the vendor

Patches have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Users who compile the X.Org server from source code or obtain binary releases directly from X.Org are encouraged to take the actions specified in the corresponding X.Org Security Advisory.

Vendor Information

837857
 
Expand all

Fedora Project Affected

Updated:  July 24, 2006

Statement Date:   March 20, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The Fedora Project has published Fedora Update Notification FEDORA-2006-172 in response to this issue. Users are encouraged to review this notification and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Affected

Updated:  July 24, 2006

Statement Date:   March 20, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Mandriva has published Mandriva Security Advisory MDKSA-2006:056 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Updated:  July 24, 2006

Statement Date:   March 21, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

SUSE has published SUSE Security Announcement SUSE-SA:2006:016 in response to this issue. Users are encouraged to review this announcement and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc. Affected

Updated:  July 24, 2006

Statement Date:   March 20, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Sun Microsystems, Inc. has published Sun Alert ID: 102252 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

X.org Foundation Affected

Updated:  July 24, 2006

Statement Date:   March 20, 2006

Status

Affected

Vendor Statement

X.Org Security Advisory, March 20th 2006
Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
and X11R7.0
CVE-ID: CVE-2006-0745


Overview:

During the analysis of results from the Coverity code review of X.Org,
we discovered a flaw in the server that allows local users to execute
arbitrary code with root privileges, or cause a denial of service by
overwriting files on the system, again with root privileges.


Vulnerability details:

When parsing arguments, the server takes care to check that only root
can pass the options -modulepath, which determines the location to load
many modules providing server functionality from, and -logfile, which
determines the location of the logfile.  Normally, these locations
cannot be changed by unprivileged users.

This test was changed to test the effective UID as well as the real UID
in X.Org.  The test is defective in that it tested the address of the
geteuid function, not the result of the function itself.  As a result,
given that the address of geteuid() is always non-zero, an unpriviliged
user can load modules from any location on the filesystem with root
privileges, or overwrite critical system files with the server log.


Affected versions:

xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
of X11R7.0, is vulnerable.
X11R6.9.0, and all release candidates, are vulnerable.
X11R6.8.2 and earlier versions are not vulnerable.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[...]


Fix:

Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
X11R7 tree:
80db6a3ab76334061ec6102e74ef5607          xorg-server-1.0.1-geteuid.diff
44b44fa3efc63697eefadc7c2a1bfa50a35eec91  xorg-server-1.0.1-geteuid.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/

Alternately, xorg-server 1.0.2 has been released with this and other
code fixes:
5cd3316f07ed32a05cbd69e73a71bc74          xorg-server-1.0.2.tar.bz2
b2257e984c5111093ca80f1f63a7a9befa20b6c0  xorg-server-1.0.2.tar.bz2
f44f0f07136791ed7a4028bd0dd5eae3          xorg-server-1.0.2.tar.gz
3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3  xorg-server-1.0.2.tar.gz
http://xorg.freedesktop.org/releases/individual/xserver/

Apply the patch below to the X.Org server as distributed with X11R6.9:
de85e59b8906f76a52ec9162ec6c0b63          x11r6.9.0-geteuid.diff
f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860  x11r6.9.0-geteuid.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/


Thanks:

We would like to thank Coverity for the use of their Prevent code audit
tool, which discovered this particular flaw.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Coverity with discovering and reporting this vulnerability to them.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2006-0745
Severity Metric: 18.44
Date Public: 2006-03-20
Date First Published: 2006-08-16
Date Last Updated: 2009-11-20 19:16 UTC
Document Revision: 17

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis