X.Org security advisory: root hole via rogue hostname

[Posted April 5, 2011 by ris]

From:		Matthias Hopf <mhopf-AT-suse.de>
To:		xorg-announce-AT-lists.freedesktop.org
Subject:		[ANNOUNCE] X.Org security advisory: root hole via rogue hostname
Date:		Tue, 5 Apr 2011 18:53:26 +0200
Message-ID:		<20110405165326.GA1986@suse.de>
Cc:		xorg-AT-lists.freedesktop.org
Archive‑link:		Article

X.Org security advisory, April 5th, 2011
root hole via rogue hostname
CVE ID: CVE-2011-0465


Overview
--------

By crafting hostnames with shell escape characters, arbitrary commands
can be executed in a root environment when a display manager reads in
the resource database via xrdb.

These specially crafted hostnames can occur in two environments:

  * Hosts that set their hostname via DHCP
  * Hosts that allow remote logins via xdmcp


Impact
------

Arbitrary (short) commands can be executed as root on affected hosts.
With some display managers a working login is required (resource
database is read upon login), with others no working login is required
(resource database is read upon display manager start as well).

Only systems are affected that

 1) set their hostname via DHCP, and the used DHCP client allows setting
    of hostnames with illegal characters
or

 2) allow remote logins via xdmcp


1) requires either physical access to the network, or administrative
   access to the running DHCP server.
2) does not require physical access, if a regular account on a machine
   accepted by xdmcp is available, but describes a case that is
   considered insecure nowadays.


Affected versions
-----------------

xrdb up to including 1.0.8
X11R7.6 (latest release) includes xrdb 1.0.7


Fix
---

This issue has been fixed with git commit
  1027d5df07398c1507fb1fe3a9981aa6b4bc3a56

http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027...

A fix of this vulnerability is included in xrdb 1.0.9.


This issue was found by Sebastian Krahmer from the SUSE security team.


Thanks

Matthias Hopf <mhopf@suse.de>

_______________________________________________
xorg-announce mailing list
xorg-announce@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/xorg-announce

X.Org security advisory: root hole via rogue hostname

Posted Apr 5, 2011 20:29 UTC (Tue) by SEJeff (guest, #51588) [Link] (5 responses)

This is why kernel mode settings + running X as an unprivileged user will be a blessing. It will also prevent the OpenBSD guys like Theo from ragging on Linux because X is so insecure and runs as root.

X.Org security advisory: root hole via rogue hostname

Posted Apr 5, 2011 22:27 UTC (Tue) by acoopersmith (subscriber, #72107) [Link] (1 responses)

None of that will make a difference, since this vulnerability is in the X11 client side code run by the display manager (xdm, gdm, etc.) which is running as root so it can ask you for your username and password, check those (possibly against the root-only-readable /etc/shadow) and if successful, setuid() to your uid to run your session.

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 6:27 UTC (Wed) by wahern (subscriber, #37304) [Link]

It's worth nothing that OpenBSD uses BSDAuth, not PAM. Unlike PAM, a program doesn't need root permissions to authenticate against the local passwords. PAM uses shared libraries and thus operates with the credentials of the calling process, whereas BSDAuth uses tiny executable commands in /usr/libexec/auth (with set-user-id root, but requiring auth group to execute). OpenBSD is really rigorous about creating a unique user and group for every little service and role. This helps to mitigate privilege escalation attacks.

But that only solves one of the two issues. You still need root to setuid(). But OpenSSH, for example, uses a multiple process model to isolate the privileged process; and it's the unprivileged process that does network I/O. Theoretically XDM could be setup similarly, so that only an unprivileged fork runs all the startup rc code and interacts with the environment, asking the privileged process to create a new user session when necessary. AFAIK the OpenBSD folks haven't hacked XDM to do this, but they use this multi-process model for all of their new services that require preservation of root credentials (excepting simple authentication, which is solved by BSDAuth).

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 9:25 UTC (Wed) by gowen (guest, #23914) [Link] (2 responses)

Maybe I'm odd, but most of the files about which I care the most are readable and writable by me, rather than by root. If an exploit can

'rm -rf $HOME/*'

it can do severe damage to me (modulo backups), and I don't care that it can't

'rm -rf /'

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 11:47 UTC (Wed) by Karellen (subscriber, #67644) [Link]

Yes, but the files which are readable and writeable by you are a subset of those readable and writeable by root. If only files readable and writeable by you can get deleted/modified, that's less damage, and easier to clean up, than if all files can get deleted/modified.

Further, any exploit could do

"rm -rf /"

The one owned by you instead of root will end up doing the exact equivalent of

"rm -rf $HOME/*"

plus probably a bit more damage, even though it can't delete your whole system. The advantage is that it's limited to *only* your files, and not the whole system.

Also, the files which you care about, and are readable and writeable by you, are not the files which anyone else who uses that computer cares about, e.g. partner, kids, guests. So if you manage to get exploited and all your files are deleted, that's still a win for e.g. your partner. More importantly to you, if your partner gets exploited, all *your* files are still safe.

Finally, it's easier to restore just your home dir from backup than it is to reformat, reinstall your whole OS, including packaged applications (do you have a backup not only of /home, but also a list of which packages were installed, and all your changes to /etc?) and then anything you might have manually put in /usr/local, and *then* restore your home dir from backup.

This is why kernel mode settings + running X as an unprivileged user *will* be a blessing.

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 12:17 UTC (Wed) by SEJeff (guest, #51588) [Link]

Preventing "rm -rf $HOME" is what Mandatory Access control such as SELinux, Tomoyo, or AppArmor were designed to prevent.

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 0:52 UTC (Wed) by Hausvib6 (guest, #70606) [Link] (1 responses)

Since this is X, this bug has existed for years (or decades)?

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 4:56 UTC (Wed) by branden (guest, #7029) [Link]

xrdb is not code that sees a lot of churn. I'd guess "yes".

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 5:07 UTC (Wed) by mikachu (guest, #5333) [Link] (6 responses)

or, you know, you could just use execve() instead of system() and not worry about shell characters at all.

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 6:57 UTC (Wed) by daniels (subscriber, #16193) [Link] (4 responses)

... or just not have your hostname be host-$(echo>/dev/sda) in the first place. If you cannot trust your DHCP server, you're already in fourteen different kinds of trouble, and this is probably the least of your worries.

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 7:39 UTC (Wed) by osma (subscriber, #6912) [Link] (3 responses)

I was first thinking that untrusted DHCP servers are used in many places, such as public wireless networks. But apparently this only affects hosts that set their hostname based on DHCP information. I haven't seen any typical Linux laptops do that, the hostname is usually set in a configuration file. Are there widely-used distributions or setups where this could be a problem, that is, machines that often use random DHCP servers and do set their hostname based on DHCP?

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 11:00 UTC (Wed) by JanC_ (guest, #34940) [Link] (1 responses)

Environments where the same system image is used to boot many machines (e.g. when netbooting)? I'm sure not all of these environments (can or do) filter out all rogue DHCP traffic...

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 11:14 UTC (Wed) by daniels (subscriber, #16193) [Link]

If you don't trust the DHCP server you're netbooting from, you have much bigger problems. Such as your rootfs being whatever the attacker wants it to be.

X.Org security advisory: root hole via rogue hostname

Posted Apr 7, 2011 7:00 UTC (Thu) by Gollum (guest, #25237) [Link]

OS X does it, at any rate :-)

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 9:12 UTC (Wed) by mikachu (guest, #5333) [Link]

I like the new addescapedstring which half-heartedly removes some metacharacters but leaves others. Also that addtokstring checks to see *s != '_' before setting *c to '_' and instead sets it to *s.

$ xrdb -I'.;echo hello > nice;:' -n .Xdefaults >& /dev/null; cat nice
hello

Also, what a great idea to replace random characters in user input with underscores. Why shouldn't I be allowed to include a dir called *~$;foobar? (Note that this faulty function isn't used for the hostname stuff which the vuln was about though.)

X.Org security advisory: root hole via rogue hostname

Posted Apr 6, 2011 13:59 UTC (Wed) by nkttm (guest, #74115) [Link]

I didn't get the patch. It fixes AddDef(defs, "CLIENTHOST", client) but strips checks here:

static void
-AddSimpleDef(String *buff, char *title)
+AddDefTok(String *buff, char *prefix, char *title)
{
- AddDef(buff, title, (char *)NULL);
+ char name[512];
+
+ snprintf(name, sizeof(name), "%s%s", prefix, title);
+ AddSimpleDef(buff, name);
}

So, the same problem will be here:
AddDefTok(defs, "CLNT_", client);