Date: Sat, 26 Jun 1999 15:40:54 -0400
From: "KSR[T] Contact Account" <ksrt@KSRT.ORG>
To: BUGTRAQ@netspace.org
Subject: KSR[T] #011: Accelerated-X

                                                  KSR[T] Advisory #011
                                                  Date:  June 25, 1999
                                                  ID #:  accelx-bo-011

Affected Program:    Xi Graphics, Inc.'s Accelerated-X Server 4.x, 5.x
                     (and possibly earlier versions).

Author:              Jordan Ritter <jpr5@ksrt.org>

Operating System(s): UNIX (Linux, FreeBSD, Solaris/x86, SCO)

Summary:             Local users can gain administrative privileges by
                     exploiting multiple buffer overflows (stack
                     overwrites) in the Accelerated-X X server.

Problem Description: Accelerated-X Server is a commercial X server
                     available from http://www.xig.com/.  By default,
                     the X server is installed setuid root so that
                     when it is executed by a user it still retains enough
                     privilege to load drivers, manipulate the
                     display, and log information.

                     However, due to insufficient bounds checking on
                     command-line parameters, an attacker can overflow
                     the X server by specifying a 48 byte display string,
                     or through a long string passed into the -query
                     command line parameter.

Compromise:          Local users that can execute the Accelerated-X
                     Xserver can obtain root privileges.

Notes:               We would like to thank Chris Evans for pointing
                     out the -query buffer overflow as well as additional
                     security holes relating to command line parameters.

Patch/Fix:           For AccelX 5.x: XiG has made a patch available for
                     5.0.1 which corrects these and other potential
                     command line interface security holes.  Users
                     running 5.0.0 have to apply the 5.0.1 patch prior
                     to applying the 5.0.2 patch.  The patch is
                     available at ftp://ftp.xig.com/pub/updates.

                     For AccelX 4.x: Patch will be made available shortly.
                     An interim solution is to use an X server wrapper,
                     or to limit access to the Xaccel binary via a
                     special group.

                     The upcoming release of Maximum CDE 2.1 comes with
                     the 5.0.2 X Server, and is not vulnerable to these
                     attacks.