X.Org Server geteuid -modulepath and -logfile privilege escalation
| xorg-geteuid-privilege-escalation (25341) |
Description:
X.Org (xorg-server) could allow a local attacker to gain elevated privileges on the system, caused by a vulnerability in the geteuid function. An attacker could exploit this vulnerability to bypass security restrictions and load modules from any location on the system using the -modulepath or the -logfile argument, allowing the attacker to execute arbitrary code or overwrite arbitrary files on the system with root privileges.
Platforms Affected:
- MandrakeSoft, Mandrake Linux 2006 X86_64
- MandrakeSoft, Mandrake Linux 2006
- Sun, Solaris 10 x86
- SuSE, SuSE Linux 10.0
- Turbolinux, Turbolinux 10 Desktop
- Turbolinux, Turbolinux 10 F...
- Turbolinux, Turbolinux 10 Server
- Turbolinux, Turbolinux 10 Server x64 Ed
- Turbolinux, Turbolinux Home
- Turbolinux, Turbolinux Multimedia
- Turbolinux, Turbolinux Personal
- X.Org, X.Org Server 1.0.0
- X.Org, X.Org Server 1.0.1
- X.Org, X.Org Server X11R6.9.0
- X.Org, X.Org Server X11R7.0
Remedy:
Upgrade to the latest version of xorg-server (1.0.2 or later), or apply the appropriate patch for your system, available from the X.Org Foundation Web site. See References.
For Sun Solaris:
Refer to Sun Alert ID: 102252 for patch, upgrade, or suggested workaround information. See References.
For Mandrivalinux:
Refer to Mandriva Security Advisory MDKSA-2006:056 for patch, upgrade, or suggested workaround information. See References.
For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:016 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for patch or upgrade information.
Consequences:
Gain Privileges
References:
- BugTraq Mailing List, 2006-03-20 14:00:58, [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0 at http://marc.theaimsgroup.com/?l=bugtraq&m=114288053928181&w=2.
- Sun Alert ID: 102252, Security Vulnerabilities found in the Xorg(1) X11R6.9 and X11R7.0 Server at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102252-1.
- X.Org Foundation Web site, X11R6.9.0 Source Patches at http://xorg.freedesktop.org/releases/X11R6.9.0/patches/.
- X.Org Foundation Web site, Index of /releases/individual/xserver at http://xorg.freedesktop.org/releases/individual/xserver/.
- X.Org Foundation Web site, X11R7.0 Source Patches at http://xorg.freedesktop.org/releases/X11R7.0/patches/.
- BID-17169: X.Org X Window Server Local Privilege Escalation Vulnerability
- CVE-2006-0745: X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.
- MDKSA-2006:056: Updated xorg-x11 packages to address local root vuln
- OSVDB ID: 24000: X.Org / X11 -modulepath Parameter Privileged Code Execution
- OSVDB ID: 24001: X.Org / X11 -logfile Parameter Arbitrary File Overwrite
- SA19307: X.Org X11 User Privilege Checking Security Bypass
- SA19676: Avaya CMS / IR Sendmail Memory Corruption Vulnerability
- SECTRACK ID: 1015793: X.Org Server `-modulepath` and `-logfile` Parameter Privilege Validation Error Lets Local Users Gain Root Privileges
- SUSE-SA:2006:016: xorg-x11-server local privilege escalation
- SUSE-SR:2006:006: SUSE Security Summary Report
Reported:
Mar 20, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
