MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: libX11 Vulnerabilities Report Number: iMCISE:IMCISNI:022597:01:P1R1 Report Date: 02/25/97 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory February 24, 1997 Environment Variable Problems in X11 While examining the differences between X11R6.1 and X11R6.3, it has come to our attention that a number of serious security problems in libX11 were fixed between releases. These problems permit unprivileged users to obtain elevated access, including group sys, group kmem, and root privileges, depending on the operating system and the X11 release. Administrators should be aware that these problems are actively being exploited, and should take the precautions outlined below to ensure they are not susceptible to these problems. Technical Details ~~~~~~~~~~~~~~~~~ In X11R6.1 and earlier, there are many places where libX11 looks at environment variables, and then performs string operations on them. X11R6.1 and earlier, however, perform no bounds checking when doing these string operations. Setuid and setgid programs which use functions provided by libX11 may allow users to obtain elevated privileges. One of the many examples of flawed code in X11R6.1, in this case from GetDflt.c reads: if (ptr = getenv("HOME")) (void) strcpy(dest, ptr); While the corrected code for this particular exammple in X11R6.3 reads: if (ptr = getenv("HOME")) { (void) strncpy(dest, ptr, len); dest[len-1] = '\0'; Note that this code correctly adds a null character at the end of the string after the strncpy. Impact ~~~~~~ Depending on platform and X11 release, individuals with shell access can obtain elevated access, including group sys, group kmem, and root privileges. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ Any system which is running X11R6.1 or earlier, and has at least one setuid or setgid program which uses libX11 is vulnerable. You can perform a simple test to determine whether your system is vulnerable. First, set the HOME environment variable to a string at least 2500 characters long. Using a sh compatible shell, do this by issuing the commands: $ HOME=jjjjjjj...jjjjj (2500 repititions of 'j') $ export HOME Using csh or tcsh, use the command: % setenv HOME jjjjj...jjjjjjj (2500 repititions of 'j') Then, run a setuid or setgid X program, such as xload. If you are running a vulnerable release of X11, you will get an error message including either the words "Segmentation Fault" or "Bus error." If the words "Segmentation Fault" and "Bus Error" do not appear, and the program operates correctly, you are not vulnerable to this problem. Be aware that if you use a string much shorter than 2500 characters, this test will not produce meaningful results, because the length of the buffer in question is 2048 characters. Also, if your DISPLAY environment variable does not point to a display which you have authorization to connect to, the test will not be able to connect to a valid display and therefore will not work. Fix Information ~~~~~~~~~~~~~~~ To fix these problems without loss of functionality, upgrade to the current release of X11. You can obtain X11R6.3 by referring to http://www.x.org/consortium/GettingX.html As an alternative workaround, administrators may want to remove setuid and setgid bits from vulnerable programs. To find all setuid and setgid programs, in the X11 distribution, the following command can be executed: % cd /usr/X11/bin % find . \( -perm -02000 -o -perm -04000 \) -exec ls -l {} \; % find . \( -perm -02000 -o -perm -04000 \) -exec chmod ug-s {} \; Remember to perform the same command if you wish to remove permissions from programs stored in other system directories. Keep in mind that that the use of this workaround will result in reduced functionality for non-root users. Additional Information ~~~~~~~~~~~~~~~~~~~~~~ If you have any questions about this advisory, feel free to contact me, David Sacerdote, at davids@secnet.com. If you should wish to encrypt traffic for me, my pgp key is: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzJ4qJAAAAEEAOgB7mooQ6NgzcUSIehKUufGsyojutC7phVXZ+p8FnHLLZNB BLQEtj5kmfww2A2pR29q4rgPeqEUOjWPlLNdSLby3NI8yKz1AQSQLHAwIDXt/lku 8QXClaV6pNIaQSN8cnyyvjH6TYF778yZhYz0mwLqW6dU5whHtP93ojDw1UhtAAUR tCtEYXZpZCBTYWNlcmRvdGUgPGRhdmlkc0BzaWxlbmNlLnNlY25ldC5jb20+ =LtL9 -----END PGP PUBLIC KEY BLOCK----- Many thanks to the unknown individual who undertook to fix this set of holes in the final days of the X Consortium. Additional information about the X Windowing System can be found at http://www.x.org You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories" in the body of the message. Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given.