From ksrt@KSRT.ORG Sat Jul 3 04:51:58 1999 From: "KSR[T] Contact Account" X-Sender: ksrt@datil.dec.net To: BUGTRAQ@netspace.org Date: Sat, 26 Jun 1999 15:40:54 -0400 Subject: KSR[T] #011: Accelerated-X KSR[T] Advisory #011 Date: June 25, 1999 ID #: accelx-bo-011 Affected Program: Xi Graphics, Inc.'s Accelerated-X Server 4.x, 5.x (and possibly earlier versions). Author: Jordan Ritter Operating System(s): UNIX (Linux, FreeBSD, Solaris/x86, SCO) Summary: Local users can gain administrative privileges by exploiting multiple buffer overflows (stack overwrites) in the Accelerated-X X server. Problem Description: Accelerated-X Server is a commercial X server available from http://www.xig.com/. By default, the X server is installed setuid root so that when it is executed by a user it still retains enough privilege to load drivers, manipulate the display, and log information. However, due to insufficient bounds checking on command-line parameters, an attacker can overflow the X server by specifying a 48 byte display string, or through a long string passed into the -query command line parameter. Compromise: Local users that can execute the Accelerated-X Xserver can obtain root privileges. Notes: We would like to thank Chris Evans for pointing out the -query buffer overflow as well as additional security holes relating to command line parameters. Patch/Fix: For AccelX 5.x: XiG has made a patch available for 5.0.1 which corrects these and other potential command line interface security holes. Users running 5.0.0 have to apply the 5.0.1 patch prior to applying the 5.0.2 patch. The patch is available at ftp://ftp.xig.com/pub/updates. For AccelX 4.x: Patch will be made available shortly. An interim solution is to use an X server wrapper, or to limit access to the Xaccel binary via a special group. The upcoming release of Maximum CDE 2.1 comes with the 5.0.2 X Server, and is not vulnerable to these attacks.