back to article This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet

X.org, the X Window server used by various desktop Linux and BSD operating systems, has – depending on its configuration – a security vulnerability that can be exploited to gain root powers. If a vulnerable version of X.org runs on a system as setuid root, it can be abused by normal logged-in users to gain administrator-level …

  1. This post has been deleted by its author

    1. diodesign (Written by Reg staff) Silver badge

      Re: And this is news how?

      1. If you're providing a shared system - such as a university lab of Linux PCs - it's bad news.

      2. It's an amusingly trivial bug to exploit.

      3. Lurk more.

      C.

      1. unimaginative

        Re: And this is news how?

        Except that its only a problem if you use startx rather than a display manager, and who does that these days?

        1. bombastic bob Silver badge
          Devil

          Re: And this is news how?

          I _ALWAYS_ use startx. I prefer to boot into a console. Many reasons exist. The fact is "boot into a GUI" irritates me on POSIX systems. I don't know what 'bright bulb' windows and/or systemD lover insisted on THAT as "the default", nor made it more difficult to "turn that @#$% off" in post-systemD-world, but that's another rant for another day...

          I checked my FreeBSD server and it's an earlier Xorg (from slightly more than a year ago, 1.18.something). I did chmod 4554 on it anyway to prevent non-GID-0-members from running it. [just in case] This makes me very happy that I'm not addicted to "bleeding edge everything".

          a simple 'right now' fix could deny users NOT in the appropriate login group from running the thing. Some re-assignments via chmod and chown would do that, yeah. Maybe create a new 'xorg' group if one does not exist, assign that to the 'Xorg' binary, and anything else 'suid' that's related to it.

          I just checked the 'ports' trees and they've been using 1.18.4 for quite a while now. Looks like FBSD has dodged a bullet by NOT being "bleeding edge" on the X server.

          1. Fungus Bob

            Re: And this is news how?

            "I prefer to boot into a console"

            Ah. Slave to fashion, then...

          2. Teiwaz

            Re: And this is news how?

            nor made it more difficult to "turn that @#$% off" in post-systemD-world

            systemctl stop [displaymanager].service

            Where displaymanager is gdm, sddm, etc. Not really that difficult really.

            And no mucking about with runlevels.

            1. onefang
              Boffin

              Re: And this is news how?

              "systemctl stop [displaymanager].service

              "Where displaymanager is gdm, sddm, etc. Not really that difficult really."

              invoke-rc.d [displaymanager] stop

              Slightly easier, it's less typing.

              /etc/init.d/[displaymanager] stop

              If you don't happen to have invoke-rc.d installed.

              service [displaymanager] stop

              If you have that installed, though for some odd reason it allows systemd units to override sysv init scripts.

              Or if you are really pissed off at things -

              killall -KILL [displaymanager]

              Still no mucking about with run levels. Out of all of these choices, the systemctl variation involves the most typing. That counts as "made it more difficult".

    2. JohnFen

      Re: And this is news how?

      "If your Linux distribution allows you access to sudo"

      This vulnerability does not involve or require sudo access.

    3. asphytxtc
      Facepalm

      Re: And this is news how?

      I think someone clearly doesn't understand the difference between "sudo" and "suid" :-/

    4. Lee D Silver badge

      Re: And this is news how?

      Not sudo. setuid.

      X was setuid in every distribution for DECADES. Some of them still are. X itself runs as root no matter who you are in those distributions, then downgrades itself to the user's level.

      Here's a shock - apache does the same thing. You have to run as root to enable you to bind to any port number less than 1024 as a server. So apache starts up as root, binds the port, drops privileges, and runs the rest of its life as "www-data" or whoever while holding something that only root could have obtained. X does pretty much the same, or did. There are ways not to, but pretty much X has spent more of its life starting as root than anything else. Same as "ping", I believe. You have to be root to send ICMP messages. So ping is "setuid root", so whoever runs it is actually running it as root. (Things may have changed in recent years, I don't delve into it myself).

      Because of that... anyone on those affected distros (i.e. all but the most secure) is running X as root for a period of time. Which wouldn't be a massive problem if it didn't allow you to specify arbitrary files as the log, and then let you control what's logged. Basically, that's using X as a proxy to read/write any file on the filesystem. In this case, it just happens to set a root password by overwriting the password storage file (shadow).

      Yes, it's a dumb idea to run as root when it's not necessary. Fact of the matter is, there's almost ALWAYS a point at which it becomes necessary. Windows has a SYSTEM user, Linux still has root. If they weren't required, those accounts wouldn't even exist. (It actually goes back to the micro-kernel argument of old, where you shouldn't need one user able to "join" all those systems, but if you want sufficient performance, you often have little choice without switching between 20 different subsystems and handing off state information 20 times to achieve something basic).

      But it's not an incredibly dumb idea so long as you are very careful and drop privileges as soon as you've done the necessary. In this case, the former failed and - while still root - X allows unsanitised user-specified data to be utilised in the name of a filesystem file which it then gains root write access to, and again to allow the user to specify more unsanitised data which can end up in that file.

      1. Nick Kew

        @Lee D

        Your comments re: apache are wide of the mark. Yes apache starts as root if it wants to bind to ports 80 and/or 443 (http, https). But it's certainly not intended to be installed as setuid, and I should be surprised if anyone ships it as such. You - or more usually your systems init scripts - just start it as root.

        Bottom line: if there's a commandline option that'll take advantage of root privileges to do something unintended, then you need root privileges to exploit it. So you might as well just do the unintended thing directly.

    5. wayne 8

      Re: And this is news how?

      1) the user has to belong to sudo group. For a single user linux system this should not be a problem, unless one of your alters is a malicious hacker and you don't have security policy that requires separate logins.

      2) the /etc/sudoers file has to have NOPASSWD in it.

      If you are running Linux and are concerned that you don't have to enter your password then use sudo to change #2 above. If you really don't trust yourself with sudo, then use Windows.

  2. Anonymous Coward
    Anonymous Coward

    Why does it work, tho?

    https://gitlab.freedesktop.org/xorg/xserver

    /blob/master/hw/xfree86/common

    /xf86Init.c#L907 should cause a fatal error and abort if ran with elevated privileges anyway?

    What am I missing here?

    Edit: Ah, nevermind, I didn't see the elseif here

    https://gitlab.freedesktop.org/xorg/xserver

    /commit/032b1d79b7#d73a91de262c4a054f8fc

    c761601c6d8a5d6cdd5_1128_1123

  3. Anonymous Coward
    Anonymous Coward

    Now, if this were a Windows exploit...

    "Good heavens, don't they test their shit, where's the QA?"

    "Errors like these just don't happen on properly designed systems."

    "It's 2018 and you can get admin rights this easily? Puh-leeze!"

    "Can I bill them for the extra work this caused me?"

    "How do I get a refund? It's clearly not fit for use!"

    "MS is over the hill and will be bankrupt in a couple years from now."

    "Year of Linux on desktop is 2019, just mark my words!"

    "I burned my grandma an Arch Linux CD back in 2005, and without any instructions she hasn't had any problems with her SCSI scanner since. In your face, Bill!"

    1. trolleybus

      Re: Now, if this were a Windows exploit...

      But it isn't.

      I know what you're saying. I even agree with you, to a point. But this isn't a Windows bug, and shouldn't be used as part of a religious war.

      1. Anonymous Coward
        Anonymous Coward

        Re: Now, if this were a Windows exploit...

        "But this isn't a Windows bug, and shouldn't be used as part of a religious war"

        You're new here, aren't you? ;-)

        Some users - some partaking even in this thread - just happen to gravitate towards all MS articles to tell what's wrong with M$ products and how move to FOSS brings peace and harmony.

    2. Trilkhai

      Re: Now, if this were a Windows exploit...

      Windows is a huge commercial product that a single company makes avalanches of money producing & selling. X and Linux are non-commercial creations produced primarily by groups of volunteers spanning the globe and freely available online. By all logic, we should be able to hold Windows to a vastly greater standard of security & reliability than Linux; the fact that we can't is a problem.

      Also, you need to update your "stuff Linux people say" list, it's embarrassingly outdated. You might as well include references to Vista and USB 1.0 while you're at it.

      1. unimaginative
        Linux

        Re: Now, if this were a Windows exploit...

        "X and Linux are non-commercial creations produced primarily by groups of volunteers spanning the globe and freely available online."

        No they are not. They are produced primarily by employees of companies that profit from open source like Red Hat, Intel, IBM etc. https://www.linuxfoundation.org/blog/2016/08/the-top-10-developers-and-companies-contributing-to-the-linux-kernel-in-2015-2016/ Then there are people like academics who may not be paid directly to work on it, but if its linked to their research it is part of their job.

        1. bombastic bob Silver badge
          Devil

          Re: Now, if this were a Windows exploit...

          and Xorg is open source meaning ANYONE can contribute, as needed, or re-build it locally with patches applied and NOT have to wait around for some 2.7 Gbyte download and "at our convenienced" forced-up-our-asses update to come along and "fix" it [and maybe break something else, too]

          I'll stick with the much-less-frequent-need-for-it open source patch method, thanks.

    3. Flocke Kroes Silver badge

      Re: Now, if this were a Windows exploit...

      All free software has an automatic money back option. Perhaps one day Microsoft will provide such a service to their customers. You are welcome to hold your breath while you wait for it.

    4. Destroy All Monsters Silver badge
      Windows

      Re: Now, if this were a Windows exploit...

      > Now, if this were a Windows exploit...

      Let Microsoft be ripped to confetti by an antitrust lawsuit with the cash stash distributed to various OSS foundations and let Windows be open-sourced.

      No talk before that.

      Not get off my lawn, I have doge and AKM.

  4. DCFusor
    Facepalm

    FWIW

    Not one linux machine here - spanning x86. amd64 and arms (more than one flavor of each) - and several distros, requires you to be "sat at the machine" to get sudo or root - If you can get it at the machine, you can get it remotely (there may be a way to turn that off, but I've not seen it). VNC or SSH make it easy from any remote machine if you log in as a user that is an sudoer. That "have to be there" is an utter myth. On the not-raspberry pi distros you do have to know that user's password, but you'd have to know that either way.

    Back when the Norse attack map was up and going, you'd see plenty of attacks to just those ports -"for some reason". Also RDP, of course.

    1. Sitaram Chamarty

      Re: FWIW

      There seems to be a slight confusion here between sudo and being at the console.

      The Xorg bug discussed here requires you to be logged in AT the console. On my not-yet-updated-for-this-bug Fedora system, there is a pam configuration line (specifically, `auth required pam_console.so` in /etc/pam.d/xserver) that appears to be ensuring that you cannot run an X server unless you have control of one actual console (that's one of those things you get when you hit Ctrl-Alt-F2/F3 etc).

      This has absolutely nothing to do with sudo.

      (You actually can run this over ssh also, but only if you are *also* logged in at the console, so it comes to the same thing)

      If you're on a typical single user system that is running only the GUI and you rarely go to one of the actual ttys for any reason -- probably the only way to affect you is if someone who knows *some* userid and password to your box, *and* has physical access, were to do that Ctrl-Alt-F2 thing, login, and then run this command.

      Servers, mostly running headless, likewise -- you'd have to get into the server room, attach a keyboard and mouse, and do this.

      All in all, a very big bug, but not terribly scary for most people.

    2. bombastic bob Silver badge
      Devil

      Re: FWIW

      @DCFusor

      if you have a system where ssh lets anyone log in, an ssh'd user could attempt to start an X server and specify the output file as 'whatever' for the log, and so the vulnerability still applies.

      But I think my 'chmod' or 'chmod' + 'chown' + 'xorg group' method (applied to the Xorg binary's permissions) would mitigate that, preventing anyone not authorized to start an X server from starting an X server by not allowing them to execute it.

      1. DCFusor

        Re: FWIW

        @bob

        Yep -- off topic or not, I've seen that "you have to be at the machine - right there" to do rooty stuff statement here too many times, and even if the post I replied to was incorrect about needing sudo vs ability to mess with suid - it's true despite the downvotes I collected for saying it.

        It's tiresome and probably gives noobs the idea that if they have physical security they are safe.

        We all know that if you don't, you're done, but the opposite isn't true.

        I have plenty of single-user systems headed and headless and of course you need root privileges to do the required customization during setup. Many have never had a keyboard or terminal of any sort physically attached, yet you see this "you have to be at the machine" stuff all the time here.

        And if you've got root, fooling with permissions is not exactly a problem either.

        There are around 20 machines here that give the lie to that statement.

      2. stephanh

        Re: FWIW

        It's a "local privilege escalation"; a non-root user gets root permission.

        Bad, but not an immediate disaster for single-user systems. Still a good idea to run updates right away ...

  5. Brian Scott

    Just tested this on a very up-to-date FreeBSD install.

    "The '-logfile' option cannot be used with elevated privileges."

    % Xorg -version

    X.Org X Server 1.18.4

    Release Date: 2016-07-19

    X Protocol Version 11, Revision 0

    Build Operating System: FreeBSD 12.0-ALPHA8 arm64

    ...

    Build Date: 07 October 2018 07:35:55AM

    It pays to not be at the bleeding edge I guess. (The Xorg executable is setuid but obviously at this back-level version there are sufficient checks for dangerous options.)

  6. -tim
    Coat

    Those who fail to learn history are doomed to repeat it

    Why does the frame buffer, gpu and mouse need root access and the inevitable setuid root nonsense with its security issues? System V Unix had special devices such as modems that could be opened by one user at a time that didn't require root access. That is why modern systems have /dev/tty* and /dev/cu* which talk to the same hardware but one only allows on user to open it without root privileges.

    1. Anonymous Coward
      Anonymous Coward

      Re: Those who fail to learn history are doomed to repeat it

      Good question.

      Given that this flaw is not specific to Linux, and assuming that X.org on Linux and on OpenBSD is exactly the same (same source code), there must be some kind of common understanding between *nix's on this point.

      Arguably, if my assumption is correct, this problem shows that that agreement that was reached between *nix's is misguided, and could probably do with some rethinking.

      Presumably what's happened is that some additional functionality was added to X.org's command line processing, and the X.org team never considered that what they were adding mattered. After all, they're not the ones putting distributions together, and no one can expect them to keep a close eye on the myriad different installations of their software to see if anyone does something as crazy as giving it setuid root. Rather, it's the distro maintainers who have, not surprisingly perhaps, not been paying attention.

      Which highlights the point that whilst a Linux installation or OpenBSD might be bang up to date with the latest and most secure versions of everything (kernel, userland), that can all be blown away by devolving responsibility for how all that is assembled into a distro to a bunch of people who clearly aren't doing their users every possible favour.

      Arguably this situation, due to a lack of clear communication and cross-team working, is more likely to arise in projects formed from disparate teams with no starkly underlined mutual interest in self preservation, and less likely in a project from a single team whose employment depends in part on not getting stuff like this wrong. There's no one in the open source world who can sit above all the projects and command them to coordinate properly. So they don't always do that.

      Personally speaking I'd no idea that X.org was sometimes configured with the setuid bit set. For something as massive as X.org to have that sounds terrifyingly dangerous! Never mind this trivial escalation through its command line interface, what about other flaws in its implementation. There's a whole ton of code there within which a few nasty surprises could be lurking.

    2. bombastic bob Silver badge
      Meh

      Re: Those who fail to learn history are doomed to repeat it

      "Why does the frame buffer, gpu and mouse need root access and the inevitable setuid root nonsense with its security issues?"

      kernel drivers and devices, for one. You may not want anyone and his brother to be able to accidentally screw with these. An 'suid' application could do so safely, with root-only access to the named devices in the '/dev' tree (as one example). And '/dev/mem' may be involved (another example). so yeah, might wanna 'suid root' on the executable, then make it safe to do so as part of that.

      1. stephanh

        Re: Those who fail to learn history are doomed to repeat it

        To put this in another way: if your closed-source NVidia driver decides it needs access to /dev/mem (aka the entire system memory), then there is little choice as to have xserver start up as root.

        Some drivers are better behaved (the open source ones, typically) but in general startup as root is unfortunately a requirement.

  7. Mike 137 Silver badge

    Thanks for making this public

    On Twitter. Now anyone who wants to be a nuisance - from bored kids upwards - knows how to do it and will probably try.

    Responsible disclosure is making sure those who can fix the problem find out about it while avoiding irresponsible and malicious actors finding out about it until it's been fixed.

    1. bazza Silver badge

      Re: Thanks for making this public

      The CVE was raised back in July. The tweet was yesterday.

      Perhaps you'd be advised to keep an eye on the CVE lists if you're concerned, not everything there gets tweeted.

      1. Alan J. Wylie

        Re: Thanks for making this public

        The CVE was raised back in July

        Raised doesn't mean made public.

        I monitor CVEs for a living (it's tedious and boring: since early 2017 there has been a huge increase in ones of no relevance). The first I saw of it was this tweet, yesterday at 9:30 pm.

        The NIST site says published on the 25th, too.

  8. Alan J. Wylie

    Theo de Raadt of OpenBSD is not happy

    Nobody at OpenBSD was made aware of the bug until very late on, despite an OpenBSD developer being on the X security team. The release of 6.4 could have been delayed until after the public annoucement.

    1. Spazturtle Silver badge

      Re: Theo de Raadt of OpenBSD is not happy

      Yeah the CVE systems has started to look horribly broken over the past year and a bit. It seams like the organisations goals have shifted from trying to get bugs patched before they can be exploited to a protectionist organisation for the big OSs.

      1. stephanh

        Re: Theo de Raadt of OpenBSD is not happy

        The bsd's also kept out of the meltdown/Spectre loop. Sad.

  9. Anonymous Coward
    Anonymous Coward

    CentOS seems affected to me

    I tried on a recently patched CentOS 7, and it did overwrite /etc/shadow.

    It was not clean, as it added a lot of log lines as well, but the part between "" was there indeed.

  10. Paul Johnston

    Yes to Centos

    I tried on my Centos Box and it was indeed overwritten

    Replaced with my backup of /etc/shadow.

    Let the fun commence :-)

  11. Anonymous Coward
    Anonymous Coward

    The answer is surely obvious...

    Just curate X under the wise and noble control of systemd. Security and bugs sorted!

    1. HieronymusBloggs

      Re: The answer is surely obvious...

      "Just curate X under the wise and noble control of systemd. Security and bugs sorted!"

      I guess the downvoter missed the sarcasm in your comment.

  12. Michael Wojcik Silver badge

    Overwrite /etc/shadow?

    The latter can be used to overwrite the shadow password file on a computer to allow access to the root user without a password.

    Pfft. Back in the day, you'd use these suid-logfile bugs (and there have been many) to overwrite or create a /.rhosts containing "+ +".1 Overwriting the shadow file was considered unsubtle, if not outright gauche; and .rhosts tolerates random junk better than many other sensitive files.

    Of course now that the r-commands have mostly faded into well-deserved obscurity, hacking .rhosts is somewhat less useful.

    The real point, of course, is that suid programs that create files in arbitrary locations has long been known as an attack vector. That's one reason why ld.so ignores LD_DEBUG_OUTPUT when running an suid binary, for example. (For a while now it's ignored LD_DEBUG when running an suid binary, making this somewhat irrelevant, but there was a time when the former was suppressed but the latter allowed.)

    1This was before people started moving root's home directory to somewhere other than /.

  13. theOtherJT Silver badge

    X has always scared the hell out of me...

    ...and this sort of thing here isn't making me feel better.

    There's just something about the thing that seems so fundamentally weird that I've never been able to feel good about it. I'm sure there are far smarter people than me who know a lot more about why X is the way that it is who could explain that honestly it all makes perfect sense.

    1. onefang

      Re: X has always scared the hell out of me...

      There's this old TV show that tries to explain things. I think it was called The X-Files. Oh wait, might make you more scared.

    2. Destroy All Monsters Silver badge
      Alien

      Re: X has always scared the hell out of me...

      There's just something about the thing that seems so fundamentally weird that I've never been able to feel good about it.

      Since the early 90s.

      But as long as the stars ain't right, we are safe.

  14. Azerty

    Any actual configurations where this might work?

    I tried my Ubuntu laptop but it doesn't work. The article mentioned CentOS is also safe. Is this actually as common as the article seems to suggest or is this just a pagefiller about something that only works if your carefully set your system up for intrusion?

    1. onefang

      Re: Any actual configurations where this might work?

      Not on my desktop anymore, the patch hit Debian / Devuan mirrors and I already applied it. Maybe you need to try it on an old unpatched install?

    2. HieronymusBloggs

      Re: Any actual configurations where this might work?

      On my Debian 9 systems, which run sysvinit and on which I startx manually, it would have worked.

      1. KSM-AZ
        Go

        Re: Any actual configurations where this might work?

        Nope. Deb 9 the setuid was removed if current. This breaks startx and Xrdp. So there is now a wrapper. And some config tweaks needed to use vnc. You can run startx against your own console vtxx but it beaks if it auto-allocates, can't write... xorg -query .... aaagh.

        This is easy to fix removing he suid bits, but the other tools just need to catch up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like