Date: Sun, 21 Mar 1999 21:34:48 -0800 From: in.telnetd To: BUGTRAQ@netspace.org Subject: X11R6 NetBSD Security Problem Hey If this has already been brought up, you have the right to stone me to death, But I havent seen it and ive searched, so here it is: I was fooling around today, and decided to rm /tmp/.X11-unix and then make a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed up /etc/passwd and ln -s /etc/passwd /tmp/.X11-unix and then startx'd as normal user acount, But X wouldnt start, it complained and said "is not a directory" So, I made a symbolic link from /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised to have write access to /root. I was able to write new files to /root but was not able to overright or change files, i was able to make a "+ +" .rhosts though. I did this to /etc also, changed it from: drwxr-xr-x To: drwxrwxrwt with: telnetd ~$ ln -s /etc /tmp/.X11-unix telnetd ~$ startx I have tested this via a remote telnet sesion also, It works if you are able to startx and X isnt already running, I swung my chair around and got on my gateway, telneted to stinky, logged in as a normal user, ln -s /etc /tmp/.X11-unix, startx'd remotly, Saw the X startup crap, looked behind me and saw X starting on stinky, I turned to my gateway and stoped X, and had write access to /etc. wh00t@$#!$ The only real thing I can think of for this to be usefull is .rhosts in /root... later telnetd@doemill.shocking.com ----------------------------------------------------------------------------- Date: Sun, 21 Mar 1999 21:41:40 -0800 From: in.telnetd To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem oops, i forgot to say, this was on NetBSD 1.3.3, fresh install if you could apend this to my last message, it would be apreciated aleph1 ----------------------------------------------------------------------------- Date: Thu, 25 Mar 1999 17:20:26 -0800 From: /usr/libexec/telnetd To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem Well, when theres a reboot, /tmp/ is cleared. And If you havent started X yet, it could be a problem. This isnt and ultra spiffy important problem, just thought I would bring it up. > drwxrwxrwt 2 root root 1024 Mar 25 10:52 .X11-unix/ > > I'd like to see a non-root user delete that from /tmp. Many systems have this > in place like this, since root is the first to log into X. Systems that do not > have this directory owned by root should chown it. > > Taral > ----------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 23:41:02 +0200 From: Petras Sinkevicius To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem On Sun, 21 Mar 1999, in.telnetd wrote: > oops, i forgot to say, this was on NetBSD 1.3.3, fresh install > if you could apend this to my last message, it would be apreciated aleph1 > This also works under Linux, X11 v3.3.3, links to directories and files ---- bebras@petras:/tmp> ln -s /etc/group /tmp/.X11-unix bebras@petras:/tmp> ls -l /etc/group -rw-r--r-- 1 root root 336 Mar 6 13:56 /etc/group bebras@petras:/tmp> startx _X11TransSocketUNIXConnect: Can't connect: errno = 111 giving up. xinit: Connection refused (errno 111): unable to connect to X server xinit: No such process (errno 3): Server error. bebras@petras:/tmp> ls -l /etc/group -rwxrwxrwt 1 root root 336 Mar 6 13:56 /etc/group* ---- -- Drakosha Petras Sinkevicius petras@bebras.dammit.lt ----------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 21:21:20 +0100 From: Matthieu Herrb To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem in.telnetd wrote (in a message from Sunday 21) > > telnetd ~$ ln -s /etc /tmp/.X11-unix > telnetd ~$ startx The following patch should fix this: Index: xc/lib/xtrans/Xtransint.h =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtransint.h,v retrieving revision 1.1.1.2 diff -u -r1.1.1.2 Xtransint.h --- xc/lib/xtrans/Xtransint.h 1998/11/28 08:26:08 1.1.1.2 +++ xc/lib/xtrans/Xtransint.h 1999/03/26 08:20:27 @@ -455,6 +455,12 @@ #endif ); +static int trans_mkdir ( +#if NeedFunctionPrototypes + char *, /* path */ + int /* mode */ +#endif +); /* * Some XTRANSDEBUG stuff Index: xc/lib/xtrans/Xtranslcl.c =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtranslcl.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 Xtranslcl.c --- xc/lib/xtrans/Xtranslcl.c 1999/01/08 17:31:44 1.1.1.4 +++ xc/lib/xtrans/Xtranslcl.c 1999/03/26 08:20:32 @@ -444,9 +444,11 @@ #else mode = 0777; #endif - - mkdir(X_STREAMS_DIR, mode); - chmod(X_STREAMS_DIR, mode); + if (trans_mkdir(X_STREAMS_DIR, mode) == -1) { + PRMSG (1, "PTSOpenServer: mkdir(%s) failed, errno = %d\n", + X_STREAMS_DIR, errno, 0); + return(-1); + } if( (fd=open(server_path, O_RDWR)) >= 0 ) { #if 0 @@ -724,9 +726,11 @@ #else mode = 0777; #endif - - mkdir(X_STREAMS_DIR, mode); - chmod(X_STREAMS_DIR, mode); + if (trans_mkdir(X_STREAMS_DIR, mode) == -1) { + PRMSG (1, "NAMEDOpenServer: mkdir(%s) failed, errno = %d\n", + X_STREAMS_DIR, errno, 0); + return(-1); + } if(stat(server_path, &sbuf) != 0) { if (errno == ENOENT) { @@ -1044,10 +1048,18 @@ mode = 0777; #endif - mkdir(X_STREAMS_DIR, mode); /* "/dev/X" */ - chmod(X_STREAMS_DIR, mode); - mkdir(X_ISC_DIR, mode); /* "/dev/X/ISCCONN" */ - chmod(X_ISC_DIR, mode); + /* "/dev/X" */ + if (trans_mkdir(X_STREAMS_DIR, mode) == -1) { + PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n", + X_STREAMS_DIR, errno, 0); + return(-1); + } + /* "/dev/X/ISCCONN" */ + if (trans_mkdir(X_ISC_DIR, mode) == -1) { + PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n", + X_ISC_DIR, errno, 0); + return(-1); + } unlink(server_path); @@ -1072,8 +1084,11 @@ */ #define X_UNIX_DIR "/tmp/.X11-unix" - mkdir(X_UNIX_DIR, mode); - chmod(X_UNIX_DIR, mode); + if (trans_mkdir(X_UNIX_DIR, mode) == -1) { + PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n", + X_UNIX_DIR, errno, 0); + return(-1); + } unlink(server_unix_path); Index: xc/lib/xtrans/Xtranssock.c =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtranssock.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 Xtranssock.c --- xc/lib/xtrans/Xtranssock.c 1999/01/08 17:31:46 1.1.1.4 +++ xc/lib/xtrans/Xtranssock.c 1999/03/26 08:20:38 @@ -946,8 +946,11 @@ #else mode = 0777; #endif - mkdir (UNIX_DIR, mode); - chmod (UNIX_DIR, mode); + if (trans_mkdir(UNIX_DIR, mode) == -1) { + PRMSG (1, "SocketUNIXCreateListener: mkdir(%s) failed, errno = %d\n", + UNIX_DIR, errno, 0); + return TRANS_CREATE_LISTENER_FAILED; + } #endif sockname.sun_family = AF_UNIX; @@ -1041,8 +1044,11 @@ #else mode = 0777; #endif - mkdir (UNIX_DIR, mode); - chmod (UNIX_DIR, mode); + if (trans_mkdir(UNIX_DIR, mode) == -1) { + PRMSG (1, "SocketUNIXResetListener: mkdir(%s) failed, errno = %d\n", + UNIX_DIR, errno, 0); + return TRANS_RESET_FAILURE; + } #endif close (ciptr->fd); Index: xc/lib/xtrans/Xtransutil.c =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtransutil.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 Xtransutil.c --- xc/lib/xtrans/Xtransutil.c 1997/09/05 09:02:43 1.1.1.1 +++ xc/lib/xtrans/Xtransutil.c 1999/03/26 08:20:40 @@ -465,3 +465,32 @@ return (1); } + +#include +#include +#include + +static int +trans_mkdir(char *path, int mode) +{ + struct stat buf; + + if (mkdir(path, mode) == 0) { + /* I don't know why this is done, but it was in the original + xtrans code */ + chmod(path, mode); + return 0; + } + /* If mkdir failed with EEXIST, test if it is a directory with + the right modes, else fail */ + if (errno == EEXIST) { + if (stat(path, &buf) != 0) { + return -1; + } + if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) { + return 0; + } + } + /* In all other cases, fail */ + return -1; +} -- Matthieu ----------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 13:55:13 +0100 From: Pavel Machek To: BUGTRAQ@netspace.org Subject: not only NetBSD [was Re: X11R6 NetBSD Security Problem] Hi! > If this has already been brought up, you have the right to stone me to > death, But I havent seen it and ive searched, so here it is: > > I was fooling around today, and decided to rm /tmp/.X11-unix and then make > a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed > up /etc/passwd and > ln -s /etc/passwd /tmp/.X11-unix > and then startx'd as normal user acount, But X wouldnt start, it > complained and said "is not a directory" So, I made a symbolic link from > /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised > to have write access to /root. I tried to reproduce on 2.2.4 linux using XFree86 Version 3.3.2 / X Window System (protocol Version 11, revision 0, vendor release 6300) Release Date: March 2 1998 If the server is older than 6-12 months, or if your card is newer than the above date, look for a newer version before reporting problems. (see http://www.XFree86.Org/FAQ) . I'm not able to get write access to /etc, still I'm able to create file srwxrwxrwx 1 root root 0 Mar 26 13:48 X0= in previously unwritable directory. Bug, it seems. [There was some talk about /tmp/.X11-unix directories, and I think that this problem might very well get _worse_ with new 3.3.3 release. Please check.] Pavel -- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-). ----------------------------------------------------------------------------- Date: Sun, 28 Mar 1999 19:01:41 -0800 From: Kevin Vajk To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem This patch looks pretty good. (Much better than the current situatiuon!!!) A few comments: On Fri, 26 Mar 1999, Matthieu Herrb wrote: > + if (errno == EEXIST) { > + if (stat(path, &buf) != 0) { This should be lstat(). > + if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) { > + return 0; > + } > + } I think you'll want to check the owner of the directory, too. - Kevin Vajk ----------------------------------------------------------------------------- Date: Wed, 31 Mar 1999 11:12:52 -0600 From: Patrick J. Volkerding To: BUGTRAQ@netspace.org Subject: XFree86 security problem On Mon, 29 Mar 1999, Domas Mituzas wrote: > why is RedHat delaying release of this package > as it smells like root takeover (it was too easy > to change /etc/ and /etc/passwd permissions to > something neat). > > [...] > > This is cross-platform bug, as I found it in > all OS that run XFree86 3.3.3 server. As far as > I know it is on every Linux distribution (especially > newest ones) and BSD's. Before flying off the handle at Red Hat, you might consider that quite possibly they aren't vulnerable to this problem. As far as I can tell, if the system ships with a /tmp/.X11-unix/ directory already in place, and none of the system scripts delete it, then there's no security problem since nobody can put a rogue symlink at that location in /tmp. I know Slackware Linux isn't vulnerable to this problem, and never was, and I don't think we're the only ones to ship a Linux OS that provides a pre-existing /tmp/.X11-unix/. -- Patrick J. Volkerding Slackware Linux Project