Author Topic: X.org 6.9 - 7.x root exploit  (Read 5364 times)

0 Members and 1 Guest are viewing this topic.

Offline SecretShop

  • Newbie
  • *
  • Posts: 18
    • View Profile
X.org 6.9 - 7.x root exploit
« on: May 04, 2006, 03:01:19 am »
Because in the C language it is not necessary to add syntax to refrence a function my memory address the line
if (geteuid == 0) {  made it into the X code.  This statement compares the memory address of the geteuid function with zero (NULL in ansi C) and returns false always.  Because of this, X does not check the effective uid properly and is therefore vunerable to exploitation on versions of the system where the bug has not been corrected.  It should state :
if (geteuid() == 0) to determine if the user is root or not by effective user id.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: X.org 6.9 - 7.x root exploit
« Reply #1 on: May 04, 2006, 08:07:15 am »
I don't think I see the implications of that. 

Why would they be running X as root in the first place?  Running a program like X, which is designed to be run as a user, as root, it just asking for something bad to happen. 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: X.org 6.9 - 7.x root exploit
« Reply #2 on: May 04, 2006, 04:45:04 pm »
Because in the C language it is not necessary to add syntax to refrence a function my memory address the line
if (geteuid == 0) {  made it into the X code.  This statement compares the memory address of the geteuid function with zero (NULL in ansi C) and returns false always.  Because of this, X does not check the effective uid properly and is therefore vunerable to exploitation on versions of the system where the bug has not been corrected.  It should state :
if (geteuid() == 0) to determine if the user is root or not by effective user id.

Ahh, another failure of the haphazard typing of C.

Why would they be running X as root in the first place?  Running a program like X, which is designed to be run as a user, as root, it just asking for something bad to happen. 
Because they don't know any better?  Remember iago, if you want Linux to be used by the masses, you need to dumb it down for them.

Besides that, I regularly run X stuff while I'm su-ing to edit .conf files.  X as me->Term->su->emacs (which launches xemacs). 

Now not knowing where this kind of code is, I can't say whether that kind of root running would be affected.  I'm just saying, sometimes you're in X as root.  (Is your security context associated on a per-thread basis, like in Windows?)
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: X.org 6.9 - 7.x root exploit
« Reply #3 on: May 04, 2006, 05:30:21 pm »
Now not knowing where this kind of code is, I can't say whether that kind of root running would be affected.  I'm just saying, sometimes you're in X as root.  (Is your security context associated on a per-thread basis, like in Windows?)

He meant you're running the X Window System in whole as root. Not just a window.

IIRC, this code is in the basis of the X, not just a program/window itself.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: X.org 6.9 - 7.x root exploit
« Reply #4 on: May 04, 2006, 05:53:07 pm »
I read more about this, and I was mistaken.  Xorg is setUID and runs in root context, so this could indeed be a big problem.  My bad there. 

Because they don't know any better?  Remember iago, if you want Linux to be used by the masses, you need to dumb it down for them.
The default configuration is usually what people use, and I didn't think it was root by default.  It is, and it is by necessity, I made a mistake.

Besides that, I regularly run X stuff while I'm su-ing to edit .conf files.  X as me->Term->su->emacs (which launches xemacs). 

Now not knowing where this kind of code is, I can't say whether that kind of root running would be affected.  I'm just saying, sometimes you're in X as root.  (Is your security context associated on a per-thread basis, like in Windows?)
I'm not sure exactly how X works, but I don't think running a GUI-based program as root is the same.  When a program runs, it contacts X as a client, it's not actually run BY X.  That's a huge difference from Windows. 

I think that Linux does security per-process.  However, Linux is much more process-happy than Windows, and is fairly thread-hostile.  Spawning a process on Linux is extremely cheap. 

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: X.org 6.9 - 7.x root exploit
« Reply #5 on: May 04, 2006, 06:25:24 pm »
There's a Slashdot article somewhere around saying it was found by some machine or w/e. I not totally concerned since it was patched and I believe I am patched as well.
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: X.org 6.9 - 7.x root exploit
« Reply #6 on: May 04, 2006, 07:40:52 pm »
There's a Slashdot article somewhere around saying it was found by some machine or w/e. I not totally concerned since it was patched and I believe I am patched as well.
Yeah, the US Government developed a program for scanning software (particularly opensource) for vulnerabilities.  They've found plenty of vulnerabilities in Linux, X, Ethereal, and others. 

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: X.org 6.9 - 7.x root exploit
« Reply #7 on: May 05, 2006, 05:15:24 pm »
Why would they be running X as root in the first place?

Ubuntu's gdm (Gnome Desktop Manager) is run as root, then allows the user to log in through a "welcome screen", sort of like Windows XP.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline cheeseisfun

  • Full Member
  • ***
  • Posts: 102
    • View Profile
Re: X.org 6.9 - 7.x root exploit
« Reply #8 on: March 20, 2007, 09:20:31 pm »
There's a Slashdot article somewhere around saying it was found by some machine or w/e. I not totally concerned since it was patched and I believe I am patched as well.
Yeah, the US Government developed a program for scanning software (particularly opensource) for vulnerabilities.  They've found plenty of vulnerabilities in Linux, X, Ethereal, and others. 

Are you talking about fuzzers? There are many fuzzers, and I don't know of one that was developed by the government. What is it called?

Why would they be running X as root in the first place?

Ubuntu's gdm (Gnome Desktop Manager) is run as root, then allows the user to log in through a "welcome screen", sort of like Windows XP.

Ok... that's neat.

Sorry for bumping this thread, btw.