exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 23, 1999


SHA-256 | d54a03addf66f66482eccde96bab7b2dccdefb8e4d63ba770a2bbed30ad5d4ff


Change Mirror Download

Subject: Caldera Security Advisory SA-1997.34: Vulnerabilities in XFree86 3.3

Original report date: 06-Aug-1997
RPM build date: 19-Dec-1997
Advisory issue date: 24-Dec-1997

Topic: Vulnerabilities in the XFree86 3.3 servers

I. Problem Descriptions

(This security advisory covers three problems that are un-related
except that they are both addressed in the same XFree86 update
described in this advisory.)

1) The X servers in the /usr/X11R6/bin directory can be used to
read the first space delimited word of any file, regardless of
access permissions. The servers read the config files with root
permissions, and if a user specifies an alternate file with the
'-config' option, the first word of this file is displayed as
part of an error message.

2) The /tmp/.X11-unix directory is world writable. Therefore,
users can rename the X0 UNIX domain socket and replace it with
a invalid one.

3) XFree86, as any X-server, uses TCP ports 6000 and above
to listen to, waiting for incoming connections. Any user can
choose their display number simply by starting "X :any_display".
The X server automatically chooses its port by adding the display
number to 6000. But as the ports are 16-bits coded, port 65536
equals 0, so displays 59536 to 65535 generate listening sockets
on ports 0 to 5999. And as the X-server runs SUID root, any user
can use it to block known ports before a daemon starts using it.

II. Impacts

1) An unprivileged user can view the first space delimited
word of any file on the system. For example, the first line of
/etc/shadow, which an unprivileged user should not be able to
view, often contains the encrypted root password. A work-around
for this problem is to move a less privileged user's /etc/shadow
entry to the first line.

2) An unprivileged user can break X, or they can modify the X0 Unix
domain socket in such a way as to snoop on an X application's
protocol exchange with the server. In particular, key strokes
can be intercepted, allowing the user to read everything that is
typed including sensitive data.

3) Because the X-server runs SUID root, any user can use it to block
known ports before a daemon starts using it.

To determine if you are vulnerable, type:

rpm -qa | grep XFree86-

If the server(s) shown is a version earlier than 3.3.1-3, you
need to upgrade.

III. Solution

Upgrade to the XFree86-[server]-3.3.1-3 packages.

They can be found on Caldera's ftp site at:


The corresponding source code can be found at:


The MD5 checksums (from the "md5sum" command) for these
packages are:

07710ecc693c519343f77fe61c542ba5 XFree86-8514-3.3.1-3.i386.rpm
e30b1b9d5b549b9ee85b9ac3f9810ed7 XFree86-AGX-3.3.1-3.i386.rpm
05da649d3f0c6e70db41c4ac596403e6 XFree86-I128-3.3.1-3.i386.rpm
5d3b630acb6f3d78954decbc1b183ecb XFree86-Mach32-3.3.1-3.i386.rpm
e2255ccd3b23d2884f3da2ca543b885e XFree86-Mach64-3.3.1-3.i386.rpm
5cc6bbe46dc7836e6be0879cbc347f5f XFree86-Mach8-3.3.1-3.i386.rpm
91e3d6962683889c2acd351a345fd719 XFree86-Mono-3.3.1-3.i386.rpm
5e77fe20f39994ea3872f008e42e5517 XFree86-P9000-3.3.1-3.i386.rpm
b6319402b02efbf257a9451602c8ba84 XFree86-S3-3.3.1-3.i386.rpm
bc6aee85e80db61d3f7edb183cd90f77 XFree86-S3V-3.3.1-3.i386.rpm
29f8f9b26c6a3590715856645bb24b48 XFree86-SVGA-3.3.1-3.i386.rpm
14e539c4bbb659fc7e7f35d499bc3401 XFree86-VGA16-3.3.1-3.i386.rpm
3257dd1ca46312ebb81409b949516d1d XFree86-W32-3.3.1-3.i386.rpm
4f52c74a7f959ad4c7741fe9c77ffe52 XFree86-Xnest-3.3.1-3.i386.rpm
230c41b27ed7347bf82c35ebfbb74c67 XFree86-Xprt-3.3.1-3.i386.rpm
5fee0ebf4cebb04022e6a0825b7285e1 XFree86-Xvfb-3.3.1-3.i386.rpm
92f8642b31e2df1e8a7a9da067fb0cf3 XFree86-server-3.3.1-3.i386.rpm
9f0777319b7bfd47ea9944cfe0aff2c6 XFree86-setup-3.3.1-3.i386.rpm

625405e598ccddc6def48e1fc1e81629 XFree86-server-3.3.1-3.src.rpm

To upgrade, it is assumed that you have already upgraded to the
XFree86-[server]-3.3.1-2 packages as discussed in Caldera
Security Advisory SA-1997.15 - (September 9, 1997 Vulnerability
in XFree86 3.2)

Because of item #1 in Description and Impact discussed above,
you will need to upgrade _all_ of the X servers installed on your
system, not just the server currently in use. To determine
which servers are present, type "ls /usr/X11R6/bin/XF86_*".
This should list the binary files for all of the X servers
installed on your system in the form XF86_[server], where [server]
is any of all of: { 8514, AGX, I128, Mach32, Mach64, Mach8, Mono,
P9000, S3, S3V, SVGA, VGA16, W32 }.

1. Upgrade all of the X servers in the following manner:

rpm -U XFree86-[server]-3.3.1-3.i386.rpm

Repeat the command above for all servers found with the

"ls /usr/X11R6/bin/XF86_*" command.

2. Upgrade the following packages:

rpm -U XFree86-Xnest-3.3.1-3.i386.rpm
rpm -U XFree86-Xprt-3.3.1-3.i386.rpm
rpm -U XFree86-Xvfb-3.3.1-3.i386.rpm
rpm -U XFree86-server-3.3.1-3.i386.rpm
rpm -U XFree86-setup-3.3.1-3.i386.rpm

IV. References / Credits

From: dube0866@eurobretagne.fr (Nicolas Dubee)
To: XFree86@XFree86.Org
Subject: [XFree86(TM) Bug Report] Security hole in XFree servers
Date: Sun, 7 Sep 1997 19:48:11 -0400 (EDT)
Message-Id: 199709072348.TAA29123@public.XFree86.Org

From: (shegget) root@SHEGG.RH1.IIT.EDU
Subject: XFree86 insecurity
Date: Fri, 21 Nov 1997 18:35:36 +0000
Message-ID: Pine.LNX.3.96.971121183345.723A-100000@shegg.rh1.iit.edu

From: (Willy TARREAU) tarreau@AEMIAIF.LIP6.FR
Subject: XFREE86 can block reserved ports
Date: Wed, 6 Aug 1997 10:14:30 +0200
Message-ID: 199708060814.KAA00775@aemiaif.lip6.fr

From: (Carlo Wood) carlo@RUNAWAY.XS4ALL.NL
Subject: X Security problem (?)
Date: Fri, 14 Nov 1997 02:13:22 +0100
Message-ID: 199711140113.CAA09289@jolan.xs4all.nl

From: (CERT(sm) Coordination Center) cert@cert.org
To: (Caldera Security) security@caldera.com
Subject: XF86 servers security hole (VU#16699) (caldera)
Date: Fri, 10 Oct 1997 12:03:22 -0400 (EDT)
Message-Id: 199710101603.MAA14448@yobbo.cert.org

This security fix closes Caldera's internal Problem Reports 823, 885,
1008, 1104, 1274.

This and other Caldera security resources are located at:


V. PGP Signature

This message was signed with the PGP key for security@caldera.com.

This key can be obtained from:

Or on an OpenLinux CDROM under:

$Id: SA-1997.34,v 1.2 1997/12/24 19:13:19 ron Exp $

Version: 2.6.2

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By