subject:"Re\: \[SC\-L\] HNS \- Biggest X Window security hole since 2000"

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-08 Thread der Mouse

 The author claims, This flaw, caused by something as seemingly
 harmless as a missing closing parenthesis, allowed local users to
 execute code with root
 Certainly that part is OS-specific.  On my VMS machine, X-windows
 processes do not run as root.

OS- and installation-specific.  Neither the above nor the article says
just which piece of X is responsible, but I don't think any X code runs
as root on my (NetBSD) machines unless I specifically do so, such as
starting a terminal emulator from a root shell.

 So, it sounds like a single byte change in the entire X src tree
 could fix a bug that could give an attacker complete control of a
 system.  Lovely...

And, of course, nobody ever bothers to say just what the problem was.
Grrr.  (Fortunately, I don't care, since I am running pre-X11R6.9.0
code, or I'd be trying to chase down the diff.)

/~\ The ASCII   der Mouse
\ / Ribbon Campaign
 X  Against HTML   [EMAIL PROTECTED]
/ \ Email!   7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-08 Thread Robert C. Seacord

der Mouse wrote:

 And, of course, nobody ever bothers to say just what the problem was.
 Grrr.  (Fortunately, I don't care, since I am running pre-X11R6.9.0
 code, or I'd be trying to chase down the diff.)

Bad code:

/* First the options that are only allowed for root */  
   if (getuid() == 0 || geteuid != 0) {
 if (!strcmp(argv[i], -modulepath))   

Good code:

/* First the options that are only allowed for root */
  if (getuid() == 0 || geteuid() != 0)  {
 if (!strcmp(argv[i], -modulepath))

The problem, of course, is that the address of geteuid is
always == true.

rCs

-- 
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC

Work: 412-268-7608
FAX: 412-268-6989
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-08 Thread Florian Weimer

 Certainly that part is OS-specific.  On my VMS machine, X-windows processes
 do not run as root.

The X Window server needs elevated privileges because it can trigger
DMA on the graphics card (and thus read arbitrary memory, unless
you've got an IOMMU).  Chances are, however, that your VMS
implementation does not even support the Xrender extension.

Of course, the impact of this vulnerability is exaggerated in the
article.  Local privilege escalation vulnerabilties are numerous.
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-05 Thread Greenarrow 1

I noticed quite a lot of Linux distros have already patched this or are as I 
write.  Do not know if X Org has yet but remember a post by Securnia about 
this a day or so.

Regards,
George
Greenarrow1
InNetInvestigations-Forensic


- Original Message - 
From: Kenneth R. van Wyk [EMAIL PROTECTED]
To: Gadi Evron [EMAIL PROTECTED]
Cc: Secure Coding SC-L@securecoding.org
Sent: Thursday, May 04, 2006 10:37 AM
Subject: Re: [SC-L] HNS - Biggest X Window security hole since 2000


 ___
 Secure Coding mailing list (SC-L)
 SC-L@securecoding.org
 List information, subscriptions, etc - 
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-05 Thread ljknews

At 11:12 AM -0400 5/4/06, Kenneth R. van Wyk wrote:
 Content-Type: multipart/signed; boundary=nextPart1887150.2DlSXmIMA5;
   protocol=application/pgp-signature; micalg=pgp-sha1
 Content-Transfer-Encoding: 7bit
 
 Stories about this (below) X bug and the DHS-sponsored project that found it 
 have been floating around the net all week.  This story caught my eye, 
 though:
 
 http://www.net-security.org/secworld.php?id=3994
 
 The author claims, This flaw, caused by something as seemingly harmless as a 
 missing closing parenthesis, allowed local users to execute code with root 

Certainly that part is OS-specific.  On my VMS machine, X-windows processes
do not run as root.

 privileges, giving them the ability to overwrite system files or initiate 
 denial of service attacks.
 
 So, it sounds like a single byte change in the entire X src tree could fix a 
 bug that could give an attacker complete control of a system.  Lovely...
-- 
Larry Kilgallen
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Gadi Evron

On Thu, 4 May 2006, Kenneth R. van Wyk wrote:
 Stories about this (below) X bug and the DHS-sponsored project that found it 
 have been floating around the net all week.  This story caught my eye, 
 though:
 
 http://www.net-security.org/secworld.php?id=3994
 
 The author claims, This flaw, caused by something as seemingly harmless as a 
 missing closing parenthesis, allowed local users to execute code with root 
 privileges, giving them the ability to overwrite system files or initiate 
 denial of service attacks.
 
 So, it sounds like a single byte change in the entire X src tree could fix a 
 bug that could give an attacker complete control of a system.  Lovely...

Hmm, I think this was fixed in earlier X versions.

Gadi.

 
 Cheers,
 
 Ken van Wyk
 -- 
 KRvW Associates, LLC
 http://www.KRvW.com
 

___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Kenneth R. van Wyk

On Thursday 04 May 2006 12:40, Gadi Evron wrote:
 Hmm, I think this was fixed in earlier X versions.

Not impossible, but the article clearly indicated that it's in 6.9.0 and 
7.0.0, which are the most current in general circulation, I believe.

But, some bugs are so important that they deserved to be fixed more than once.  
It sure wouldn't be the first time that a bug found its way back into a src 
tree.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com


pgpSwossK0g5Q.pgp
Description: PGP signature
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Re: [SC-L] HNS - Biggest X Window security hole since 2000

Re: [SC-L] HNS - Biggest X Window security hole since 2000

Re: [SC-L] HNS - Biggest X Window security hole since 2000

Re: [SC-L] HNS - Biggest X Window security hole since 2000

Re: [SC-L] HNS - Biggest X Window security hole since 2000

Re: [SC-L] HNS - Biggest X Window security hole since 2000

Re: [SC-L] HNS - Biggest X Window security hole since 2000

7 matches

Site Navigation

Mail list logo

Footer information