######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                             February 24, 1997

                    Environment Variable Problems in X11


While examining the differences between X11R6.1 and X11R6.3, it has come to
our attention that a number of serious security problems in libX11 were fixed
between releases.  These problems permit unprivileged users to obtain elevated
access, including group sys, group kmem, and root privileges, depending on the
operating system and the X11 release.  Administrators should be aware that
these problems are actively being exploited, and should take the precautions
outlined below to ensure they are not susceptible to these problems.


Technical Details
~~~~~~~~~~~~~~~~~

In X11R6.1 and earlier, there are many places where libX11 looks at
environment variables, and then performs string operations on them.  X11R6.1
and earlier, however, perform no bounds checking when doing these string
operations.  Setuid and setgid programs which use functions provided by libX11
may allow users to obtain elevated privileges.

One of the many examples of flawed code in X11R6.1, in this case from
GetDflt.c reads:

if (ptr = getenv("HOME"))
        (void) strcpy(dest, ptr);

While the corrected code for this particular exammple in X11R6.3 reads:

if (ptr = getenv("HOME")) {
        (void) strncpy(dest, ptr, len);
        dest[len-1] = '\0';

Note that this code correctly adds a null character at the end of the
string after the strncpy.


Impact
~~~~~~
Depending on platform and X11 release, individuals with shell access can
obtain elevated access, including group sys, group kmem, and root
privileges.


Vulnerable Systems
~~~~~~~~~~~~~~~~~~
Any system which is running X11R6.1 or earlier, and has at least one setuid or
setgid program which uses libX11 is vulnerable.

You can perform a simple test to determine whether your system is vulnerable.
First, set the HOME environment variable to a string at least 2500 characters
long.  Using a sh compatible shell, do this by issuing the commands:

$ HOME=jjjjjjj...jjjjj                  (2500 repititions of 'j')
$ export HOME

Using csh or tcsh, use the command:

% setenv HOME jjjjj...jjjjjjj           (2500 repititions of 'j')

Then, run a setuid or setgid X program, such as xload.  If you are running a
vulnerable release of X11, you will get an error message including either the
words "Segmentation Fault" or "Bus error."  If the words "Segmentation Fault"
and "Bus Error" do not appear, and the program operates correctly, you are not
vulnerable to this problem.

Be aware that if you use a string much shorter than 2500 characters, this test
will not produce meaningful results, because the length of the buffer in
question is 2048 characters.  Also, if your DISPLAY environment variable does
not point to a display which you have authorization to connect to, the test
will not be able to connect to a valid display and therefore will not work.


Fix Information
~~~~~~~~~~~~~~~
To fix these problems without loss of functionality, upgrade to the current
release of X11.  You can obtain X11R6.3 by referring to
http://www.x.org/consortium/GettingX.html

As an alternative workaround, administrators may want to remove setuid and
setgid bits from vulnerable programs.  To find all setuid and setgid programs,
in the X11 distribution, the following command can be executed:

% cd /usr/X11/bin
% find . \( -perm -02000 -o -perm -04000 \) -exec ls -l {} \;
% find . \( -perm -02000 -o -perm -04000 \) -exec chmod ug-s {} \;

Remember to perform the same command if you wish to remove permissions from
programs stored in other system directories.  Keep in mind that that the
use of this workaround will result in reduced functionality for non-root
users.


Additional Information
~~~~~~~~~~~~~~~~~~~~~~

If you have any questions about this advisory, feel free to contact me,
David Sacerdote, at davids@secnet.com.  If you should wish to encrypt
traffic for me, my pgp key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzJ4qJAAAAEEAOgB7mooQ6NgzcUSIehKUufGsyojutC7phVXZ+p8FnHLLZNB
BLQEtj5kmfww2A2pR29q4rgPeqEUOjWPlLNdSLby3NI8yKz1AQSQLHAwIDXt/lku
8QXClaV6pNIaQSN8cnyyvjH6TYF778yZhYz0mwLqW6dU5whHtP93ojDw1UhtAAUR
tCtEYXZpZCBTYWNlcmRvdGUgPGRhdmlkc0BzaWxlbmNlLnNlY25ldC5jb20+
=LtL9
-----END PGP PUBLIC KEY BLOCK-----

Many thanks to the unknown individual who undertook to fix this set
of holes in the final days of the X Consortium.

Additional information about the X Windowing System can be found at
http://www.x.org

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories

You can browse our web site at http://www.secnet.com

You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories" in the body of
the message.


Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.