Bug 156974 - (CVE-2006-0745) VUL-0: CVE-2006-0745: Xorg: root hole in Xorg when installed setuid root
(CVE-2006-0745)
VUL-0: CVE-2006-0745: Xorg: root hole in Xorg when installed setuid root
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Critical
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2006-0745: CVSS v2 Base Score: 7....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-10 10:46 UTC by Thomas Biege
Modified: 2017-04-14 13:50 UTC (History)
4 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patchinfo (967 bytes, text/plain)
2006-03-13 18:11 UTC, Stefan Dirsch
Details
patchinfo (605 bytes, text/plain)
2006-03-14 08:04 UTC, Stefan Dirsch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2006-03-10 10:46:05 UTC
Hello Stefan,
here we go...

Date: Thu, 09 Mar 2006 19:20:42 -0800
From: Alan Coopersmith <Alan.Coopersmith@Sun.COM>
To: xorg_security@x.org
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050515)
Cc: Daniel Stone <daniel@freedesktop.org>
Subject: [Xorg_security] root hole in Xorg when installed setuid root
        (coverity id 9482)
Errors-To: xorg_security-bounces@x.org

Just noticed this in the coverity scans:

xc/programs/Xserver/hw/xfree86/common/xf86Init.c:

1378      /* First the options that are only allowed for root */

Event func_conv: Suspicious implicit conversion to function pointer:
"&geteuid
!= 0"; did you intend to call the function?
At conditional (1): "getuid == 0" taking false path

1379      if (getuid() == 0 || geteuid != 0)
1380      {

(and the same again at line 1682)

and sure enough, if Xorg is installed setuid root, the check passes
incorrectly (since the address of the geteuid function is never NULL).

Easy, non-destructive test - run this as a normal user:
        Xorg -logfile /etc/foo
and it creates/overwrites /etc/foo as root.

Since one of the other options protected as such is -modulepath to let you
load code from strange places, this seems particularly risky.  (-configure
is also protected this way, but I'm not sure why that is.)


The fix is simple - change all "geteuid != 0" to include () after geteuid
in hw/xfree86/common/xf86Init.c.

According to cvsweb, this bug went in on Jan 28 2005, so would only appear
to be in 6.9/7.0, not 6.8.2 or earlier.

http://webcvs.freedesktop.org/xorg/xc/programs/Xserver/hw/xfree86/common/xf86Init.c?r1=1.16&r2=1.17

Everyone agree this is bad?   How long do we want to allow to coordinate
fixes
before going public?

        -Alan Coopersmith-           alan.coopersmith@sun.com
         Sun Microsystems, Inc. - X Window System Engineering


_______________________________________________
Xorg_security mailing list
Xorg_security@x.org
http://expo.x.org/mailman/listinfo/xorg_security

Date: Fri, 10 Mar 2006 08:06:53 +0100
From: Matthieu Herrb <matthieu@herrb.com>
User-Agent: Mail/News  (X11/20060205)
To: Alan Coopersmith <Alan.Coopersmith@Sun.COM>
Subject: Re: [Xorg_security] root hole in Xorg when installed setuid root
        (coverity id 9482)
Cc: xorg_security@x.org, Daniel Stone <daniel@freedesktop.org>
Errors-To: xorg_security-bounces@x.org

Alan Coopersmith wrote:
>Just noticed this in the coverity scans:
>
>xc/programs/Xserver/hw/xfree86/common/xf86Init.c:
>
>1378       /* First the options that are only allowed for root */
>
>Event func_conv: Suspicious implicit conversion to function pointer:
>"&geteuid
>!= 0"; did you intend to call the function?
>At conditional (1): "getuid == 0" taking false path
>
>1379       if (getuid() == 0 || geteuid != 0)
>1380       {
>
>(and the same again at line 1682)
>
>and sure enough, if Xorg is installed setuid root, the check passes
>incorrectly (since the address of the geteuid function is never NULL).
>
>Easy, non-destructive test - run this as a normal user:
>    Xorg -logfile /etc/foo
>and it creates/overwrites /etc/foo as root.
>
>Since one of the other options protected as such is -modulepath to let you
>load code from strange places, this seems particularly risky.  (-configure
>is also protected this way, but I'm not sure why that is.)

-configure lets you generate a configuration file from autoconfig code.

>
>The fix is simple - change all "geteuid != 0" to include () after geteuid
>in hw/xfree86/common/xf86Init.c.
>
>According to cvsweb, this bug went in on Jan 28 2005, so would only appear
>to be in 6.9/7.0, not 6.8.2 or earlier.
>
>http://webcvs.freedesktop.org/xorg/xc/programs/Xserver/hw/xfree86/common/xf86Init.c?r1=1.16&r2=1.17
>
>
>Everyone agree this is bad?   How long do we want to allow to coordinate
>fixes
>before going public?

Yes that's bad. Luckily the fix is pretty obvious. We should make
vendor-sec aware first.
I can do it later today. If no one objects.

_______________________________________________
Xorg_security mailing list
Xorg_security@x.org
http://expo.x.org/mailman/listinfo/xorg_security

Date: Fri, 10 Mar 2006 10:25:09 +0200
From: Daniel Stone <daniel@fooishbar.org>
To: Alan Coopersmith <Alan.Coopersmith@Sun.COM>
Mail-Followup-To: Alan Coopersmith <Alan.Coopersmith@Sun.COM>,
        xorg_security@x.org
User-Agent: Mutt/1.5.11
Cc: xorg_security@x.org
Subject: [Xorg_security] Re: root hole in Xorg when installed setuid root
        (coverity id 9482)
Errors-To: xorg_security-bounces@x.org

[-- Anhang #1 --]
[-- Typ: multipart/signed, Kodierung: 7bit, GröÃe: 2,3K --]

[-- PGP Ausgabe folgt (aktuelle Zeit: Fr 10 MÀr 2006 11:43:54 CET) --]
gpg: Unterschrift vom Fr 10 MÀr 2006 09:25:09 CET, DSA SchlÌssel ID F2B1606C
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden
[-- Ende der PGP-Ausgabe --]

[-- Die folgenden Daten sind signiert --]

On Thu, Mar 09, 2006 at 07:20:42PM -0800, Alan Coopersmith wrote:
> Just noticed this in the coverity scans:
>
> xc/programs/Xserver/hw/xfree86/common/xf86Init.c:
>
> 1378    /* First the options that are only allowed for root */
>
> Event func_conv: Suspicious implicit conversion to function pointer:
> "&geteuid
> != 0"; did you intend to call the function?
> At conditional (1): "getuid == 0" taking false path
>
> 1379    if (getuid() == 0 || geteuid != 0)
> 1380    {
>
> (and the same again at line 1682)
>
> and sure enough, if Xorg is installed setuid root, the check passes
> incorrectly (since the address of the geteuid function is never NULL).
>
> Easy, non-destructive test - run this as a normal user:
>       Xorg -logfile /etc/foo
> and it creates/overwrites /etc/foo as root.
>
> Since one of the other options protected as such is -modulepath to let you
> load code from strange places, this seems particularly risky.  (-configure
> is also protected this way, but I'm not sure why that is.)

Good catch.  Xorg -logfile /lib/libc.so.6 is also a handy local DoS.

> The fix is simple - change all "geteuid != 0" to include () after geteuid
> in hw/xfree86/common/xf86Init.c.
>
> According to cvsweb, this bug went in on Jan 28 2005, so would only appear
> to be in 6.9/7.0, not 6.8.2 or earlier.
>
> http://webcvs.freedesktop.org/xorg/xc/programs/Xserver/hw/xfree86/common/xf86Init.c?r1=1.16&r2=1.17
>
> Everyone agree this is bad?   How long do we want to allow to coordinate
> fixes
> before going public?

Very bad, yes.  Four weeks should be enough for all the vendors to get
together and fix their advisories ready, I'd imagine.  So, April 6th, or
even April 13th?

https://bugs.freedesktop.org/show_bug.cgi?id=6213

Cheers,
Daniel
Comment 1 Thomas Biege 2006-03-10 14:42:17 UTC
CVE-2006-0745
Comment 2 Stefan Dirsch 2006-03-10 15:11:09 UTC
https://bugs.freedesktop.org/show_bug.cgi?id=6213

I don't have access to this bugreport. :-(

"You are not authorized to access bug #6213." Maybe it's sufficient to add me to Cc of this bugreport?
Comment 3 Thomas Biege 2006-03-10 15:31:05 UTC
I asked to add you...
Comment 4 Stefan Dirsch 2006-03-10 16:15:01 UTC
Thanks. I'll notice when I've been added to this bugreport. :-)
Comment 5 Thomas Biege 2006-03-13 08:34:27 UTC
Date: Fri, 10 Mar 2006 14:08:09 +0100
From: Matthieu Herrb <matthieu.herrb@laas.fr>
User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)
To: vendor-sec@lst.de
Cc: xorg_security@x.org
Subject: [Xorg_security] X.Org 6.9/7.0 local root - found by coverity
Errors-To: xorg_security-bounces@x.org

Hi

Coverity scanned X.Org source code for problems and reported the results
to us. Among various minor problems, not security related, Alan
Coopersmith noticed that the problem #9482 is more serious, as it
provides a local root. The problem is illustrated by the patch below:

Index: xf86Init.c
===================================================================
RCS file: /cvs/xorg/xc/programs/Xserver/hw/xfree86/common/xf86Init.c,v
retrieving revision 1.29
diff -u -u -r1.29 xf86Init.c
--- xf86Init.c  14 Dec 2005 20:12:00 -0000      1.29
+++ xf86Init.c  10 Mar 2006 11:21:37 -0000
@@ -1376,7 +1376,7 @@
     }

   /* First the options that are only allowed for root */
-  if (getuid() == 0 || geteuid != 0)
+  if (getuid() == 0 || geteuid() != 0)
   {
     if (!strcmp(argv[i], "-modulepath"))
     {
@@ -1679,7 +1679,7 @@
   }
   if (!strcmp(argv[i], "-configure"))
   {
-    if (getuid() != 0 && geteuid == 0) {
+    if (getuid() != 0 && geteuid() == 0) {
        ErrorF("The '-configure' option can only be used by root.\n");
        exit(1);
     }

Since the address of geteuid() is always non NULL, both conditions are
always true. Thus any user can use the -modulepath, -logfile and
-configure options (which were supposed to be restricted to root).

The -modulepath option makes it possible to load arbitrary modules in
the Xserver that are later executed as root. The -logfile and -configure
options allow local DoS by overwriting any system file.

The vulnerable code was added to X.Org after 6.8.2 was released. So only
X.Org 6.9.0 and 7.0 are affected. No XFree86 version is affected.

This is the X.Org bug #6213 but this entry is marked confidential; only
members of the X.Org security team can access it. We propose to keep it
private until at least April 6th.

--
Matthieu Herrb

_______________________________________________
Xorg_security mailing list
Xorg_security@x.org
http://expo.x.org/mailman/listinfo/xorg_security
Comment 6 Stefan Dirsch 2006-03-13 09:29:32 UTC
Thanks. That's enough information. When am I supposed to fix this problem for STABLE? 10.1 RC1 is scheduled for Fri, Mar 31, so this would be to early. :-(
Comment 7 Thomas Biege 2006-03-13 09:36:35 UTC
The fix in stable should be released on the CRD.

Hm, for RC1 you can include the fix but omit the changelog entry, ok for you?
Comment 8 Stefan Dirsch 2006-03-13 09:41:13 UTC
> The fix in stable should be released on the CRD.

CRD? Typo?

> Hm, for RC1 you can include the fix but omit the changelog entry, ok for 
> you?

Ok. I'll try.
Comment 9 Thomas Biege 2006-03-13 09:50:23 UTC
Sorry.

CRD = Coordinated Release Date
Comment 10 Stefan Dirsch 2006-03-13 11:37:29 UTC
fixed for Beta > 8.
Comment 11 Marcus Meissner 2006-03-13 16:25:02 UTC
is in 10.0 too, added by pc_x-noroot.diff 
Comment 12 Stefan Dirsch 2006-03-13 16:30:42 UTC
Right. :-(
Comment 13 Stefan Dirsch 2006-03-13 16:31:52 UTC
At least 9.3 and older is not affected.
Comment 14 Stefan Dirsch 2006-03-13 18:11:58 UTC
Created attachment 72633 [details]
patchinfo
Comment 15 Stefan Dirsch 2006-03-13 18:12:35 UTC
Thomas, I will need a SWAMPID for the 10.0 update.
Comment 16 Thomas Biege 2006-03-14 07:50:19 UTC
Maintenance-Tracker-3775
Comment 17 Stefan Dirsch 2006-03-14 08:04:16 UTC
Summary: Xorg: root hole in Xorg when installed setuid root
Issue was started by: thomas
Description:
This update of xorg-x11 fixes the incorrect checking of user privileges when it is installed setuid root. This allows local attackers to overwrite files or
even gain root privileges. (CVE-2006-0745)
Comment 18 Stefan Dirsch 2006-03-14 08:04:51 UTC
Created attachment 72709 [details]
patchinfo
Comment 19 Stefan Dirsch 2006-03-14 08:07:36 UTC
patchinfo file submitted.

--> /work/src/done/PATCHINFO/patchinfo.xorg-x11

Reassigning to Thomas for ACR (=A Coordinated Release).
Comment 20 Thomas Biege 2006-03-15 12:39:36 UTC
Date: Wed, 15 Mar 2006 13:30:35 +0100
From: Matthieu Herrb <matthieu.herrb@laas.fr>
User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)
To: vendor-sec@lst.de
Cc: xorg_security@x.org, Matthieu Herrb <matthieu.herrb@laas.fr>
Subject: [Xorg_security] Re: [vendor-sec] X.Org 6.9/7.0 local root - found
        by coverity
Errors-To: xorg_security-bounces@x.org

Matthieu Herrb wrote:
>Hi
>
>Coverity scanned X.Org source code for problems and reported the results
>to us. Among various minor problems, not security related, Alan
>Coopersmith noticed that the problem #9482 is more serious, as it
>provides a local root.
[...]

>
>This is the X.Org bug #6213 but this entry is marked confidential; only
>members of the X.Org security team can access it. We propose to keep it
>private until at least April 6th.
>

After discussion among X.Org security team (which has representative of
many vendors) it appears that not too many vendors already ship X.Org
6.9/7.0 (previous version are *not* affected) and that for many of them
an earlier disclosure date would be better.

Fedora project is going to release FC5 on March 20, but they'll start to
push the packages to their mirrors tomorrow, thurday 16. So this should
be considered as public starting at this date.

--
Matthieu Herrb
Comment 21 Thomas Biege 2006-03-15 12:41:47 UTC
Changed CRD in swamp.
Comment 22 Thomas Biege 2006-03-16 14:44:30 UTC
From: Matthieu Herrb <matthieu.herrb@laas.fr>
User-Agent: Mail/News  (X11/20060302)
To: xorg_security@x.org, vendor-sec@lst.de
Cc: Jesse Keating <jkeating@j2solutions.net>,
        Matthieu Herrb <matthieu.herrb@laas.fr>
Subject: Re: [vendor-sec] X.Org 6.9/7.0 local root - found by coverity
Errors-To: vendor-sec-admin@lst.de
Date: Thu, 16 Mar 2006 15:38:01 +0100

Jesse Keating wrote:
>On 03/15/2006 Matthieu Herrb wrote:
>
>>Fedora project is going to release FC5 on March 20, but they'll start to
>>push the packages to their mirrors tomorrow, thurday 16. So this should be
>>considered as public starting at this date.
>
>
>Thats actually not true.  We were hoping to, but we just didn't get
>enough communication in time.  We will be releasing this as a 0-day
>update for Fedora, but it will not make the shipping CDs.
>
So back to March 20, 14:00 UTC for the official disclosure, or did
someone already disclose it today?
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 23 Thomas Biege 2006-03-20 14:12:31 UTC
From: Daniel Stone <daniel@fooishbar.org>
To: xorg@lists.freedesktop.org
Cc: vendor-sec@lst.de, bugtraq@securityfocus.com
Mail-Followup-To: xorg@lists.freedesktop.org, vendor-sec@lst.de,
        bugtraq@securityfocus.com
User-Agent: Mutt/1.5.11
Subject: [vendor-sec] [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0
Errors-To: vendor-sec-admin@lst.de
Date: Mon, 20 Mar 2006 16:00:58 +0200

[-- PGP Ausgabe folgt (aktuelle Zeit: Mo 20 MÀr 2006 15:10:35 CET) --]
gpg: Unterschrift vom Mo 20 MÀr 2006 15:00:58 CET, DSA SchlÌssel ID F2B1606C
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden
[-- Ende der PGP-Ausgabe --]

[-- Die folgenden Daten sind signiert --]

X.Org Security Advisory, March 20th 2006
Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
and X11R7.0
CVE-ID: CVE-2006-0745


Overview:

During the analysis of results from the Coverity code review of X.Org,
we discovered a flaw in the server that allows local users to execute
arbitrary code with root privileges, or cause a denial of service by
overwriting files on the system, again with root privileges.


Vulnerability details:

When parsing arguments, the server takes care to check that only root
can pass the options -modulepath, which determines the location to load
many modules providing server functionality from, and -logfile, which
determines the location of the logfile.  Normally, these locations
cannot be changed by unprivileged users.

This test was changed to test the effective UID as well as the real UID
in X.Org.  The test is defective in that it tested the address of the
geteuid function, not the result of the function itself.  As a result,
given that the address of geteuid() is always non-zero, an unpriviliged
user can load modules from any location on the filesystem with root
privileges, or overwrite critical system files with the server log.


Affected versions:

xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
of X11R7.0, is vulnerable.
X11R6.9.0, and all release candidates, are vulnerable.
X11R6.8.2 and earlier versions are not vulnerable.

To check which version you have, run Xorg -version:
% Xorg -version
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[...]


Fix:

Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
X11R7 tree:
80db6a3ab76334061ec6102e74ef5607          xorg-server-1.0.1-geteuid.diff
44b44fa3efc63697eefadc7c2a1bfa50a35eec91  xorg-server-1.0.1-geteuid.diff
http://xorg.freedesktop.org/releases/X11R7.0/patches/

Alternately, xorg-server 1.0.2 has been released with this and other
code fixes:
5cd3316f07ed32a05cbd69e73a71bc74          xorg-server-1.0.2.tar.bz2
b2257e984c5111093ca80f1f63a7a9befa20b6c0  xorg-server-1.0.2.tar.bz2
f44f0f07136791ed7a4028bd0dd5eae3          xorg-server-1.0.2.tar.gz
3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3  xorg-server-1.0.2.tar.gz
http://xorg.freedesktop.org/releases/individual/xserver/

Apply the patch below to the X.Org server as distributed with X11R6.9:
de85e59b8906f76a52ec9162ec6c0b63          x11r6.9.0-geteuid.diff
f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860  x11r6.9.0-geteuid.diff
http://xorg.freedesktop.org/releases/X11R6.9.0/patches/


Thanks:

We would like to thank Coverity for the use of their Prevent code audit
tool, which discovered this particular flaw.

[-- Ende der signierten Daten --]
Comment 24 Thomas Biege 2006-03-20 14:16:07 UTC
packafes approved
Comment 25 Thomas Biege 2009-10-13 23:01:17 UTC
CVE-2006-0745: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)