Re: [SC-L] HNS - Biggest X Window security hole since 2000
The author claims, This flaw, caused by something as seemingly harmless as a missing closing parenthesis, allowed local users to execute code with root Certainly that part is OS-specific. On my VMS machine, X-windows processes do not run as root. OS- and installation-specific. Neither the above nor the article says just which piece of X is responsible, but I don't think any X code runs as root on my (NetBSD) machines unless I specifically do so, such as starting a terminal emulator from a root shell. So, it sounds like a single byte change in the entire X src tree could fix a bug that could give an attacker complete control of a system. Lovely... And, of course, nobody ever bothers to say just what the problem was. Grrr. (Fortunately, I don't care, since I am running pre-X11R6.9.0 code, or I'd be trying to chase down the diff.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] HNS - Biggest X Window security hole since 2000
der Mouse wrote: And, of course, nobody ever bothers to say just what the problem was. Grrr. (Fortunately, I don't care, since I am running pre-X11R6.9.0 code, or I'd be trying to chase down the diff.) Bad code: /* First the options that are only allowed for root */ if (getuid() == 0 || geteuid != 0) { if (!strcmp(argv[i], -modulepath)) Good code: /* First the options that are only allowed for root */ if (getuid() == 0 || geteuid() != 0) { if (!strcmp(argv[i], -modulepath)) The problem, of course, is that the address of geteuid is always == true. rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] HNS - Biggest X Window security hole since 2000
Certainly that part is OS-specific. On my VMS machine, X-windows processes do not run as root. The X Window server needs elevated privileges because it can trigger DMA on the graphics card (and thus read arbitrary memory, unless you've got an IOMMU). Chances are, however, that your VMS implementation does not even support the Xrender extension. Of course, the impact of this vulnerability is exaggerated in the article. Local privilege escalation vulnerabilties are numerous. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] HNS - Biggest X Window security hole since 2000
I noticed quite a lot of Linux distros have already patched this or are as I write. Do not know if X Org has yet but remember a post by Securnia about this a day or so. Regards, George Greenarrow1 InNetInvestigations-Forensic - Original Message - From: Kenneth R. van Wyk [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED] Cc: Secure Coding SC-L@securecoding.org Sent: Thursday, May 04, 2006 10:37 AM Subject: Re: [SC-L] HNS - Biggest X Window security hole since 2000 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] HNS - Biggest X Window security hole since 2000
At 11:12 AM -0400 5/4/06, Kenneth R. van Wyk wrote: Content-Type: multipart/signed; boundary=nextPart1887150.2DlSXmIMA5; protocol=application/pgp-signature; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused by something as seemingly harmless as a missing closing parenthesis, allowed local users to execute code with root Certainly that part is OS-specific. On my VMS machine, X-windows processes do not run as root. privileges, giving them the ability to overwrite system files or initiate denial of service attacks. So, it sounds like a single byte change in the entire X src tree could fix a bug that could give an attacker complete control of a system. Lovely... -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] HNS - Biggest X Window security hole since 2000
On Thu, 4 May 2006, Kenneth R. van Wyk wrote: Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused by something as seemingly harmless as a missing closing parenthesis, allowed local users to execute code with root privileges, giving them the ability to overwrite system files or initiate denial of service attacks. So, it sounds like a single byte change in the entire X src tree could fix a bug that could give an attacker complete control of a system. Lovely... Hmm, I think this was fixed in earlier X versions. Gadi. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] HNS - Biggest X Window security hole since 2000
On Thursday 04 May 2006 12:40, Gadi Evron wrote: Hmm, I think this was fixed in earlier X versions. Not impossible, but the article clearly indicated that it's in 6.9.0 and 7.0.0, which are the most current in general circulation, I believe. But, some bugs are so important that they deserved to be fixed more than once. It sure wouldn't be the first time that a bug found its way back into a src tree. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com pgpSwossK0g5Q.pgp Description: PGP signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php