Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homeland Security Uncovers Critical Flaw in X11

Posted by ryuzaki0 on from the nice-catch dept.

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

27 of 517 comments (clear)

  1. Already Corrected? by mythosaz · · Score: 1, Insightful

    Already corrected on what?

    Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?

    Oh sure, I'm trolling - but the point is this ISN'T updated on machines around the world. It's updated on a few machines that HAVE some sort of auto-update service (of which many required a fee with your "enterprise service license") and it may or may not be updated when you install a new machine.

    I know *MY* servers aren't updated...yet.

    1. Re:Already Corrected? by Vyvyan+Basterd · · Score: 5, Insightful

      Why are you running X11 on your servers?

    2. Re:Already Corrected? by wobblie · · Score: 3, Insightful

      uh, you display it somewhere else.

    3. Re:Already Corrected? by nagora · · Score: 2, Insightful
      Servers should NOT be running X servers.

      That's gonna ruin someone's LTS system.

      TWW

      --
      "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
    4. Re:Already Corrected? by cortana · · Score: 2, Insightful

      In which case it won't be running the X server, which is the program in which this flaw resides. :)

  2. Advisory by Anonymous Coward · · Score: 2, Insightful

    If you're wondering, here is the relevant SUSE security advisory from 21.3 - http://www.novell.com/linux/security/advisories/20 06_16_xorgx11server.html

  3. Re:Related news by Bush+Pig · · Score: 3, Insightful

    What I'd really like to know is how come the code even compiled if it was missing a closing parenthesis somewhere. None of mine ever does in that circumstance.

    --
    What a long, strange trip it's been.
  4. Re:So does this mean? by AtomicX · · Score: 5, Insightful

    In most cases the compiler will catch errors caused by typos and omissions, but it is perfectly possible to write code containing typos or missing characters which are still valid.

    I had a quick look on Coverity's website and this appears to be the relevant line of code:

    - if (getuid() == 0 || geteuid != 0)
    + if (getuid() == 0 || geteuid() != 0)

    In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.

    The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.

    The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
    Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).

  5. Re:Sometimes gentoo is a pain. by Anonymous Coward · · Score: 5, Insightful

    The impression I get is that it shouldn't be easily exploitable. By default, Gentoo (and any sensible distro) configures X11 to disable remote connections. Also, you should have some sort of firewall blocking the relevant ports anyway. If it is really exploitable, the attacker would probably need access to the machine anyway (at which point, you're largely already screwed).

    Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.

    It took some digging to find the actual advisory:

    http://lists.freedesktop.org/archives/xorg/2006-Ma y/015136.html

  6. This is not a remote root vunerability by Technician · · Score: 4, Insightful

    Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)

    --
    The truth shall set you free!
  7. Re:Related news by fbjon · · Score: 2, Insightful

    It's not always matching because getuid != geteuid.

    --
    True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
  8. Re:Related news by nuzak · · Score: 2, Insightful

    http://xorg.freedesktop.org/releases/X11R7.0/patch es/xorg-server-1.0.1-geteuid.diff

    I think you owe the GP an apology.

    --
    Done with slashdot, done with nerds, getting a life.
  9. Another score for open source! by MoxFulder · · Score: 2, Insightful

    The advantage of open source shines through once again! This couldn't have happened with MS Windows, that's for sure... without access to the source code, this bug couldn't have been discovered, let alone fixed so quickly.

    (And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)

    --
    My bicyles
  10. Re:This is not a remote root vunerability by tokabola · · Score: 2, Insightful

    AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf. I'm not aware of any distro that does that by default, and the Xconf "sample" that comes with XFree86 or Xorg both have remote logins disabled.

    I realize that it's too much too assume that anyone geek enough to enable remote X sessions is also geek enough to protect his system adequately, but most of the time that will be the case.

    --
    Open Source for Open Minds
  11. Re:Related news by prockcore · · Score: 4, Insightful


    You're misinterpreting what the problem was. It was a change from this:

    if (getuid() == 0 || geteuid != 0)

    to this:

    if (getuid() == 0 || geteuid() != 0)


    This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.

    (And yes, gcc will throw a warning if you compare a function pointer with 0 instead of NULL)

  12. the usual confusion by penguin-collective · · Score: 5, Insightful

    There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.

    It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.

    1. Re:the usual confusion by haroldhunt · · Score: 2, Insightful

      Uhh... coming from someone with 5 years of experience in the X Window System, your statement that X11 refers to a protocol and not a codebase is overly pedantic and not truly reflective of reality.

      The name 'X11' effectively refers to a code base because the 'sample implementation', which was extended for specific hardware by XFree86 and X.org, is the basis of almost all X Servers in existance. For example, Sun and HP both ship their own X Servers, but the base upon which they implemented their device-dependent code for specific video cards and input devices. Free X servers for Windows and Mac OS X both use the sample implementation (X.org to be specific). Commercial X Servers for Windows all seem to use the sample implementation as well. The only non-sample implementation X Server that I know of is WeirdX, an X Server written entirely in Java, which implies that everything would have to have been rewritten.

      Harold

  13. Re:Related news by Anpheus · · Score: 3, Insightful

    They can only make your decisions for you when you use an unencrypted method of communication.

  14. I don't understand the intention of the fixed code by gfim · · Score: 2, Insightful
    The fixed code is
    if (getuid() == 0 || geteuid() != 0) do something that only root can do
    What is the intention of this test? Allow something to be done if the real user id is zero (i.e. it is root logged in) or if the effective user id is not zero (i.e. if the program is running as setuid to somebody other than root). That doesn't make a lot of sense to me.
    --
    Graham
  15. Re:I don't understand the intention of the fixed c by acoopersmith · · Score: 3, Insightful

    It's in code that allows you to do things like load code modules from other paths, so it's only allowed if you're already root or not running setuid-root. (It should probably check that you're not running setuid at all, but there's no real point having Xorg setuid to anyone but root, so no one has added that check.)

  16. Re:OpenBSD fixed on Jan. 21, 2000 by 93+Escort+Wagon · · Score: 1, Insightful

    Fri Mar 10 17:29:51 2006 UTC (7 weeks, 4 days ago) by deraadt:
    proper geteuid calls because suse hires people who mistype things


    Incidentally, this also confirms most non-BSDers' opinion of Theo.
    --
    #DeleteChrome
  17. Re:Related news by HeroreV · · Score: 1, Insightful

    So one function returns 0 when successful, while the other returns 0 when unsuccessful? What the hell is going on here?

    Not even considering the bug, that's some pretty horrific coding. Is all of X written this poorly?

  18. Agree with the sentiment, but.... by Junta · · Score: 2, Insightful

    Unfortunately, the distros compete with the likes of Windows. As such, though technically speaking X on a multi-user system of any remote importance is a bad idea, if you shrug off X on servers Windows administrators may not like it as much. Install Red Hat or SuSE server oriented distributions and by default you still end up with a X environment. Good administrators know not to run X and it is powerful and even more convenient to run X apps remotely or inside a detachable VNC session. For small business to medium business/departmental servers, expect X servers to be the norm in the enterprise despite best practice.

    The obvious solution is X not as root, so the worst you can do is screw around with the devices X really needs access to (screw around with the graphics, and local input devices, but an administrator can still ssh and have an intact, secure system in the ways that matter)

    --
    XML is like violence. If it doesn't solve the problem, use more.
  19. Re:OpenBSD fixed on Jan. 21, 2000 by Alioth · · Score: 2, Insightful

    The truth sometimes hurts. Theo de Raadt just doesn't dress it up. I wouldn't hire Theo as a diplomat (well, not unless I wanted to actually start a war), but I would hire him as someone who can write secure code. I don't care if he has no social skills; I'm after secure code. That's why we use OpenBSD for security critical things.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  20. Re:OpenBSD fixed on Jan. 21, 2000 by Nutria · · Score: 5, Insightful

    Then if I want to do my own debugging, I should only put half my effort into coding!

    Funny, and almost right.

    Put all your brains, but half of your cleverness into coding.

    IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.

    I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.

    --
    "I don't know, therefore Aliens" Wafflebox1
  21. Re:OpenBSD fixed on Jan. 21, 2000 by Kjella · · Score: 2, Insightful

    IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.

    And the collorary to that: If you are (trying to be) clever, leave comments about what you're doing. Whoever might have to review/fix your code will greatly appriciate it. Remember, that person might be YOU. While I still try to be clever a little too often, it makes it incredibly much easier to fix.

    --
    Live today, because you never know what tomorrow brings
  22. seriously? by YesIAmAScript · · Score: 2, Insightful

    In concept, there is a separate protocol and implementation of X. But the source has been available under a very permissive license since the very beginning. Because of this, the only thing I've ever seen that was reimplemented was the server (window server), everything else has just been compiled directly from the reference sources.

    And even those window servers are compiled from sources derived from the reference sources, with patches.

    Do you actually know of any implementations of X other than the two you mentioned? I tried to search for some and couldn't find any.

    --
    http://lkml.org/lkml/2005/8/20/95