SA-1997.34.txt
d54a03addf66f66482eccde96bab7b2dccdefb8e4d63ba770a2bbed30ad5d4ff-----BEGIN PGP SIGNED MESSAGE-----
Subject: Caldera Security Advisory SA-1997.34: Vulnerabilities in XFree86 3.3
Original report date: 06-Aug-1997
RPM build date: 19-Dec-1997
Advisory issue date: 24-Dec-1997
Topic: Vulnerabilities in the XFree86 3.3 servers
I. Problem Descriptions
(This security advisory covers three problems that are un-related
except that they are both addressed in the same XFree86 update
described in this advisory.)
1) The X servers in the /usr/X11R6/bin directory can be used to
read the first space delimited word of any file, regardless of
access permissions. The servers read the config files with root
permissions, and if a user specifies an alternate file with the
'-config' option, the first word of this file is displayed as
part of an error message.
2) The /tmp/.X11-unix directory is world writable. Therefore,
users can rename the X0 UNIX domain socket and replace it with
a invalid one.
3) XFree86, as any X-server, uses TCP ports 6000 and above
to listen to, waiting for incoming connections. Any user can
choose their display number simply by starting "X :any_display".
The X server automatically chooses its port by adding the display
number to 6000. But as the ports are 16-bits coded, port 65536
equals 0, so displays 59536 to 65535 generate listening sockets
on ports 0 to 5999. And as the X-server runs SUID root, any user
can use it to block known ports before a daemon starts using it.
II. Impacts
1) An unprivileged user can view the first space delimited
word of any file on the system. For example, the first line of
/etc/shadow, which an unprivileged user should not be able to
view, often contains the encrypted root password. A work-around
for this problem is to move a less privileged user's /etc/shadow
entry to the first line.
2) An unprivileged user can break X, or they can modify the X0 Unix
domain socket in such a way as to snoop on an X application's
protocol exchange with the server. In particular, key strokes
can be intercepted, allowing the user to read everything that is
typed including sensitive data.
3) Because the X-server runs SUID root, any user can use it to block
known ports before a daemon starts using it.
To determine if you are vulnerable, type:
rpm -qa | grep XFree86-
If the server(s) shown is a version earlier than 3.3.1-3, you
need to upgrade.
III. Solution
Upgrade to the XFree86-[server]-3.3.1-3 packages.
They can be found on Caldera's ftp site at:
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/
The corresponding source code can be found at:
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/
The MD5 checksums (from the "md5sum" command) for these
packages are:
07710ecc693c519343f77fe61c542ba5 XFree86-8514-3.3.1-3.i386.rpm
e30b1b9d5b549b9ee85b9ac3f9810ed7 XFree86-AGX-3.3.1-3.i386.rpm
05da649d3f0c6e70db41c4ac596403e6 XFree86-I128-3.3.1-3.i386.rpm
5d3b630acb6f3d78954decbc1b183ecb XFree86-Mach32-3.3.1-3.i386.rpm
e2255ccd3b23d2884f3da2ca543b885e XFree86-Mach64-3.3.1-3.i386.rpm
5cc6bbe46dc7836e6be0879cbc347f5f XFree86-Mach8-3.3.1-3.i386.rpm
91e3d6962683889c2acd351a345fd719 XFree86-Mono-3.3.1-3.i386.rpm
5e77fe20f39994ea3872f008e42e5517 XFree86-P9000-3.3.1-3.i386.rpm
b6319402b02efbf257a9451602c8ba84 XFree86-S3-3.3.1-3.i386.rpm
bc6aee85e80db61d3f7edb183cd90f77 XFree86-S3V-3.3.1-3.i386.rpm
29f8f9b26c6a3590715856645bb24b48 XFree86-SVGA-3.3.1-3.i386.rpm
14e539c4bbb659fc7e7f35d499bc3401 XFree86-VGA16-3.3.1-3.i386.rpm
3257dd1ca46312ebb81409b949516d1d XFree86-W32-3.3.1-3.i386.rpm
4f52c74a7f959ad4c7741fe9c77ffe52 XFree86-Xnest-3.3.1-3.i386.rpm
230c41b27ed7347bf82c35ebfbb74c67 XFree86-Xprt-3.3.1-3.i386.rpm
5fee0ebf4cebb04022e6a0825b7285e1 XFree86-Xvfb-3.3.1-3.i386.rpm
92f8642b31e2df1e8a7a9da067fb0cf3 XFree86-server-3.3.1-3.i386.rpm
9f0777319b7bfd47ea9944cfe0aff2c6 XFree86-setup-3.3.1-3.i386.rpm
625405e598ccddc6def48e1fc1e81629 XFree86-server-3.3.1-3.src.rpm
To upgrade, it is assumed that you have already upgraded to the
XFree86-[server]-3.3.1-2 packages as discussed in Caldera
Security Advisory SA-1997.15 - (September 9, 1997 Vulnerability
in XFree86 3.2)
Because of item #1 in Description and Impact discussed above,
you will need to upgrade _all_ of the X servers installed on your
system, not just the server currently in use. To determine
which servers are present, type "ls /usr/X11R6/bin/XF86_*".
This should list the binary files for all of the X servers
installed on your system in the form XF86_[server], where [server]
is any of all of: { 8514, AGX, I128, Mach32, Mach64, Mach8, Mono,
P9000, S3, S3V, SVGA, VGA16, W32 }.
1. Upgrade all of the X servers in the following manner:
rpm -U XFree86-[server]-3.3.1-3.i386.rpm
Repeat the command above for all servers found with the
"ls /usr/X11R6/bin/XF86_*" command.
2. Upgrade the following packages:
rpm -U XFree86-Xnest-3.3.1-3.i386.rpm
rpm -U XFree86-Xprt-3.3.1-3.i386.rpm
rpm -U XFree86-Xvfb-3.3.1-3.i386.rpm
rpm -U XFree86-server-3.3.1-3.i386.rpm
rpm -U XFree86-setup-3.3.1-3.i386.rpm
IV. References / Credits
From: dube0866@eurobretagne.fr (Nicolas Dubee)
To: XFree86@XFree86.Org
Subject: [XFree86(TM) Bug Report] Security hole in XFree servers
Date: Sun, 7 Sep 1997 19:48:11 -0400 (EDT)
Message-Id: 199709072348.TAA29123@public.XFree86.Org
From: (shegget) root@SHEGG.RH1.IIT.EDU
To: BUGTRAQ@NETSPACE.ORG
Subject: XFree86 insecurity
Date: Fri, 21 Nov 1997 18:35:36 +0000
Message-ID: Pine.LNX.3.96.971121183345.723A-100000@shegg.rh1.iit.edu
From: (Willy TARREAU) tarreau@AEMIAIF.LIP6.FR
To: BUGTRAQ@NETSPACE.ORG
Subject: XFREE86 can block reserved ports
Date: Wed, 6 Aug 1997 10:14:30 +0200
Message-ID: 199708060814.KAA00775@aemiaif.lip6.fr
From: (Carlo Wood) carlo@RUNAWAY.XS4ALL.NL
To: BUGTRAQ@NETSPACE.ORG
Subject: X Security problem (?)
Date: Fri, 14 Nov 1997 02:13:22 +0100
Message-ID: 199711140113.CAA09289@jolan.xs4all.nl
From: (CERT(sm) Coordination Center) cert@cert.org
To: (Caldera Security) security@caldera.com
Subject: XF86 servers security hole (VU#16699) (caldera)
Date: Fri, 10 Oct 1997 12:03:22 -0400 (EDT)
Message-Id: 199710101603.MAA14448@yobbo.cert.org
This security fix closes Caldera's internal Problem Reports 823, 885,
1008, 1104, 1274.
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
V. PGP Signature
This message was signed with the PGP key for security@caldera.com.
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
$Id: SA-1997.34,v 1.2 1997/12/24 19:13:19 ron Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNKFe8en+9R4958LpAQEpCAP/bW0/HWMpB+eFTO24sQwcEwnVSrBMPOu2
/zUanIXPjcWhCMS72mXK8aGjm2ZMr9SVUDwRNu61f7OByhH0viAN5pvqg0aHrHGK
WeGx6wlXgG/URcqx+h+Dh6Ifnd7DzibbEBhFCIuW8InmCRoplc69iBiZEAFMrpJc
uGsVax7IZhw=
=dO/g
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed