X.Org Server geteuid -modulepath and -logfile privilege escalation

xorg-geteuid-privilege-escalation (25341) The risk level is classified as HighHigh Risk

Description:

X.Org (xorg-server) could allow a local attacker to gain elevated privileges on the system, caused by a vulnerability in the geteuid function. An attacker could exploit this vulnerability to bypass security restrictions and load modules from any location on the system using the -modulepath or the -logfile argument, allowing the attacker to execute arbitrary code or overwrite arbitrary files on the system with root privileges.


Consequences:

Gain Privileges

Remedy:

Upgrade to the latest version of xorg-server (1.0.2 or later), or apply the appropriate patch for your system, available from the X.Org Foundation Web site. See References.

For Sun Solaris:
Refer to Sun Alert ID: 102252 for patch, upgrade, or suggested workaround information. See References.

For Mandrivalinux:
Refer to Mandriva Security Advisory MDKSA-2006:056 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:016 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for patch or upgrade information.

References:

  • BugTraq Mailing List, 2006-03-20 14:00:58: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0.
  • Sun Alert ID: 102252: Security Vulnerabilities found in the Xorg(1) X11R6.9 and X11R7.0 Server.
  • X.Org Foundation Web site: X11R6.9.0 Source Patches.
  • X.Org Foundation Web site: Index of /releases/individual/xserver.
  • X.Org Foundation Web site: X11R7.0 Source Patches.
  • BID-17169: X.Org X Window Server Local Privilege Escalation Vulnerability
  • CVE-2006-0745: X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.
  • MDKSA-2006:056: Updated xorg-x11 packages to address local root vuln
  • OSVDB ID: 24000: X.Org / X11 -modulepath Parameter Privileged Code Execution
  • OSVDB ID: 24001: X.Org / X11 -logfile Parameter Arbitrary File Overwrite
  • SA19307: X.Org X11 User Privilege Checking Security Bypass
  • SA19676: Avaya CMS / IR Sendmail Memory Corruption Vulnerability
  • SECTRACK ID: 1015793: X.Org Server `-modulepath` and `-logfile` Parameter Privilege Validation Error Lets Local Users Gain Root Privileges
  • SUSE-SA:2006:016: xorg-x11-server local privilege escalation
  • SUSE-SR:2006:006: SUSE Security Summary Report

Platforms Affected:

  • MandrakeSoft Mandrake Linux 2006
  • MandrakeSoft Mandrake Linux 2006 X86_64
  • Sun Solaris 10 x86
  • SUSE SuSE Linux 10.0
  • Turbolinux Turbolinux 10 Desktop
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux 10 Server
  • Turbolinux Turbolinux 10 Server x64 Ed
  • Turbolinux Turbolinux Home
  • Turbolinux Turbolinux Multimedia
  • Turbolinux Turbolinux Personal
  • X.Org X.Org Server 1.0.0
  • X.Org X.Org Server 1.0.1
  • X.Org X.Org Server X11R6.9.0
  • X.Org X.Org Server X11R7.0

Reported:

Mar 20, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page