Subject: xsrc/7281: XFree86 and /tmp/.X11-unix permissions
To: None <gnats-bugs@gnats.netbsd.org>
From: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
List: netbsd-bugs
Date: 03/29/1999 19:24:14
>Number:         7281
>Category:       xsrc
>Synopsis:       XFree86 and /tmp/.X11-unix permissions
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Mar 29 09:35:01 1999
>Last-Modified:
>Originator:     Hubert Feyrer
>Organization:
Hubert Feyrer <hubertf@channel.regensburg.org>
>Release:        <10 days old
>Environment:
	
System: NetBSD rfhpc8002 1.3K NetBSD 1.3K (YUI) #13: Tue Mar 23 13:13:06 MET 1999 feyrer@rfhpc8002:/usr/cvs/src/sys/arch/i386/compile/YUI i386


>Description:
	From Freshmeat.net:

  A new vulnerability has been found in XFree86. XFree86 creates a directory
  in /tmp with the name .X11-unix for the X sockets and sets the directory to
  mode 1777. If an attacker creates a symlink with that filename and points
  it to another directory (e.g. /root), the permissions of the target directory is
  set to 1777, thus a local attacker may create files with any contents in any
  directory. The original SuSe security is available at the Bugtraq archive.
  Updated packages for SuSe Linux are available on the SuSe FTP Server. 

	The bugtraq entry is at http://www.geek-girl.com/bugtraq/1999_1/1138.html

>How-To-Repeat:
	cd /tmp
	install -dm 700 -o root secretdir
	ls -dla /tmp/secretdir
	-> drwx------   2 root    wheel   512 Mar 29 19:17 secretdir
	ln -s secretdir .X11-unix
	XF86_3DLabs	 (chosen at random)
	ls -dla /tmp/secretdir
	-> drwxrwxrwt  2 root  wheel  512 Mar 29 19:17 /tmp/secretdir


>Fix:
	Unknown.
>Audit-Trail:
>Unformatted: