Opened 5 years ago

Closed 5 years ago

#11284 closed enhancement (fixed)

xorg-server-1.20.3 (CVE-2018-14665, local file overwrite)

Reported by: Douglas R. Reno Owned by: ken@…
Priority: high Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version. Security release:

X.Org security advisory: October 25, 2018

Privilege escalation and file overwrite in X.Org X server 1.19 and later
========================================================================

Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).

The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.

The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.

This issue has been assigned CVE-2018-14665

Background
==========

The commit
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which
first appeared in xorg-server 1.19.0 introduced a regression in the
security checks performed for potentially dangerous options, enabling
the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege
elevation since it's possible to control some part of the written log
file, for example using the -fp option to set the font search path
(which is logged) and thus inject a line that will be considered as
valid by some systems.

Patches
=======

A patch for the issue was added to the xserver repository on
October 25, 2018.

https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e

Workaround
==========

If a patched version of the X server is not available, X.Org
recommends to remove the setuid bit (ie chmod 755) of the installed
Xorg binary.  Note that this can cause issues if people are starting
the X window system using the 'startx', 'xinit' commands or variations
thereof.

X.Org recommends the use of a display manager to start X sessions,
which does not require Xorg to be installed setuid.

Thanks
======

X.Org thanks Narendra Shinde who discovered and reported the issue,
and the Red Hat Product Security Team who helped understand all
impacts.
Fixes CVE-2018-14665 (local file overwrite bugs), and a trivial fix in
fbdevhw initialization. All users are advised to upgrade. Thanks to
Narendra Shinde and Thomas Hoger for the report, and Matthieu Herrb for
the fix.

Adam Jackson (1):
      xserver 1.20.3

Matthieu Herrb (2):
      Disable -logfile and -modulepath when running with elevated privileges
      LogFilePrep: add a comment to the unsafe format string.

Peter Hutterer (1):
      xfree86: fix readlink call

Change History (4)

comment:2 by Douglas R. Reno, 5 years ago

From Twitter:

"@hackerfantastic

#CVE-2018-14665 - a LPE exploit via X.org fits in a tweet

cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1; su

Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected."

comment:3 by ken@…, 5 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:4 by ken@…, 5 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.