On Mon, Oct 29, 2018 at 10:33:18PM -0700, Sphere wrote: > https://threatpost.com/x-org-flaw-allows-privilege-escalation-in-linux-systems/138624/ > > It is said that leveraging the vulnerability is possible from a remote SSH > session. Say an attacker was able to successfully gain a remote SSH session > in an untrusted VM, do you think it would be possible to gain full control > through qubes' implementation of X.org? > > I checked around and if I understand it right, qubes utilizes X.org in order > to integrate the display of PVH VM applications to what the user can/must see. > > Because of this, what's in my mind right now is that it's possible to > leverage this vulnerability to gain full control but since I don't have an > idea of the codes or how exactly qubes' implementation of X.org works, I > would like to kindly ask for your thoughts about this matter. > > Earlier I was about to remove setuid of Xorg but I thought it has a good > chance of breaking my desktop environment altogether and that would be alot > of trouble for me. >
This is just another vulnerability - if you give someone else access to your Qubes machine, local or remote, you've diminished your security. In this particular case, each qube runs its own Xserver, which may be vulnerable, but you've already given someone else access to that qube. Would it be possible to leverage that for an attack on dom0? That would require an exploit on qubes_gui and vchan, and *that* would be available to the external user whether this exploit existed or not. Of course, the long awaited GUI domain would help to mitigate attacks against X, but it isn't here yet. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181030115511.khb74fojvvwlu74o%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
