Homeland Security Uncovers Critical Flaw in X11

← Back to Stories (view on slashdot.org)

Homeland Security Uncovers Critical Flaw in X11

Posted by ryuzaki0 on Tuesday May 2, 2006 @10:44AM from the nice-catch dept.

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

35 of 517 comments (clear)

OpenBSD fixed on Jan. 21, 2000 by Anonymous Coward · 2006-05-02 10:46 · Score: 4, Informative

Check the CVS server. OpenBSD 0wns again!
1. Re:OpenBSD fixed on Jan. 21, 2000 by LurkerXXX · 2006-05-02 11:19 · Score: 5, Informative
  
  OpenBSD fixes 'security holes' all the time, without even knowing it. If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future. Most of the time when they fix a 'hole', they never actually spotted the hole. They were just cleaning up messy looking code. A few years later (like in this case) it will often turn out that there was a security hole hidden in the mess.
  
  FYI, they do often send the cleaned version back to the codes maintainers, but they can't force them to use the re-arranged code, or port it to other systems. Sorry.
2. Re:OpenBSD fixed on Jan. 21, 2000 by dietrollemdefender · 2006-05-02 11:59 · Score: 5, Funny
  
  If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future.
  That is one brilliant policy! Kudos to whomever implemented that!
  It reminds of an incedent about 12 years ago. A bunch of us entry level programmers were sitting around and this one guy pipes up and says "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read. I just shook my head and said, "If there's a bug in that code, and I get assigned to it, I'm coming for you!"
3. Re:OpenBSD fixed on Jan. 21, 2000 by strabo · 2006-05-02 12:11 · Score: 5, Funny
  
  March 10 would be more correct
  
  More specifically, March 10th of 2006. Seven weeks ago.
  
  Best part was the CVS log:
  
  Fri Mar 10 17:29:51 2006 UTC (7 weeks, 4 days ago) by deraadt:
  proper geteuid calls because suse hires people who mistype things
4. Re:OpenBSD fixed on Jan. 21, 2000 by Nutria · 2006-05-02 12:50 · Score: 5, Interesting
  
  "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read.
  
  That reminds me of the Kernighan quote, which I heartily agree with:
  "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."
  
  --
  "I don't know, therefore Aliens" Wafflebox1
5. Re:OpenBSD fixed on Jan. 21, 2000 by Nutria · 2006-05-02 22:11 · Score: 5, Insightful
  
  Then if I want to do my own debugging, I should only put half my effort into coding!
  
  Funny, and almost right.
  
  Put all your brains, but half of your cleverness into coding.
  
  IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.
  
  I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
Related news by LiquidCoooled · 2006-05-02 10:46 · Score: 5, Funny

In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.

Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".

--
liqbase :: faster than paper
1. Re:Related news by rbochan · 2006-05-02 10:58 · Score: 5, Funny
  
  "This message brought to you by AT&T"
  
  --
  ...Rob
  The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
2. Re:Related news by PlusFiveTroll · 2006-05-02 11:10 · Score: 4, Interesting
  
  Should this be modded funny or sad?
3. Re:Related news by x2A · 2006-05-02 11:19 · Score: 4, Funny
  
  oh yeah, it was also missing the opening one, but it sounds like a bigger danger if they only point out the closing one was missing (OMG, it was left open!) ;-)
  
  --
  The revolution will not be televised... but it will have a page on Wikipedia
4. Re:Related news by mattwarden · 2006-05-02 11:21 · Score: 5, Informative
  
  You're misinterpreting what the problem was. It was a change from this:
  
  if (getuid() == 0 || geteuid != 0)
  
  to this:
  
  if (getuid() == 0 || geteuid() != 0)
5. Re:Related news by prockcore · 2006-05-02 12:22 · Score: 4, Insightful
  
  You're misinterpreting what the problem was. It was a change from this:
  
  if (getuid() == 0 || geteuid != 0)
  
  to this:
  
  if (getuid() == 0 || geteuid() != 0)
  
  This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.
  
  (And yes, gcc will throw a warning if you compare a function pointer with 0 instead of NULL)
6. Re:Related news by Reverend528 · 2006-05-02 13:41 · Score: 5, Funny
  
  This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.
  It drives me nuts too. That's why i use the -fsyntax-only option whenever I compile anything. It gets rid of the warnings so you know your code is safe!
  
  --
  Badass Resumes
Way to go, boys! by Junior+J.+Junior+III · 2006-05-02 10:48 · Score: 5, Funny

Kudos to the heroes who painstakingly reinserted the missing parenthesis!

--
You see? You see? Your stupid minds! Stupid! Stupid!
Any word on the fix? by FirstTimeCaller · 2006-05-02 10:48 · Score: 5, Funny

A missing parentheses in a bit of code is to blame...the flaw has already been corrected.

Any word on exactly what the fix was?

--
Wanted: witty unique signature. Must be willing to relocate.
1. Re:Any word on the fix? by fryguybob · 2006-05-02 11:08 · Score: 5, Informative
  
  it was a missing pair of parentheses:
  
  http://xorg.freedesktop.org/releases/X11R7.0/patch es/xorg-server-1.0.1-geteuid.diff
  
  http://lists.freedesktop.org/archives/xorg/2006-Ma rch/013992.html
2. Re:Any word on the fix? by RemovableBait · 2006-05-02 11:14 · Score: 5, Funny
  
  * <-- Joke
  
  * <-- Your Head
Re:Already Corrected? by Vyvyan+Basterd · 2006-05-02 10:54 · Score: 5, Insightful

Why are you running X11 on your servers?
Re:Only one? by Frosty+Piss · 2006-05-02 10:56 · Score: 4, Funny

They uncovered only one flaw? Sheesh.
Only one that they are telling us about...

--
If you want news from today, you have to come back tomorrow.
watch out for their patches, though by Anonymous Coward · 2006-05-02 10:58 · Score: 5, Funny

#define ) ); Install_Patriot_PhoneHome();
Little known fact... by Junta · 2006-05-02 10:59 · Score: 4, Funny

X11 is actually written entirely in LISP, and therefore there are too many parentheses for a mere mortal to ever get straight.

--
XML is like violence. If it doesn't solve the problem, use more.
Re:Already Corrected? by Anonymous Coward · 2006-05-02 11:06 · Score: 5, Funny

Maybe it's an X11 server.
The compiler just does what you ask. by EmbeddedJanitor · 2006-05-02 11:13 · Score: 4, Informative

if you said a + b * c but you really wanted (a + b) * c the compiler won't bleat.

--
Engineering is the art of compromise.
Not Quite by mattwarden · 2006-05-02 11:15 · Score: 5, Funny

Actually, it was not a missing parenthesis, but a missing parenthetical.
double r; r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) ); if ( r < 0.5 ) gotroot(true);
And the patched code:
double r; r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) ); if ( r < 0.5 ) gotroot(true); (just kidding!)
Re:So does this mean? by AtomicX · 2006-05-02 11:18 · Score: 5, Insightful

In most cases the compiler will catch errors caused by typos and omissions, but it is perfectly possible to write code containing typos or missing characters which are still valid.

I had a quick look on Coverity's website and this appears to be the relevant line of code:

- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)

In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.

The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.

The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).
Re:Sometimes gentoo is a pain. by Anonymous Coward · 2006-05-02 11:23 · Score: 5, Insightful

The impression I get is that it shouldn't be easily exploitable. By default, Gentoo (and any sensible distro) configures X11 to disable remote connections. Also, you should have some sort of firewall blocking the relevant ports anyway. If it is really exploitable, the attacker would probably need access to the machine anyway (at which point, you're largely already screwed).

Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.

It took some digging to find the actual advisory:

http://lists.freedesktop.org/archives/xorg/2006-Ma y/015136.html
Missing *pair* of parentheses by Chirs · 2006-05-02 11:23 · Score: 4, Informative

The fix was posted before, but the problem was that someone used "geteuid" rather than "geteuid()".

This results in making use of the function address rather than the return value of the function, which could cause difficulties.
This is not a remote root vunerability by Technician · 2006-05-02 11:25 · Score: 4, Insightful

Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)

--
The truth shall set you free!
Re:OS X? by Carnildo · 2006-05-02 11:31 · Score: 4, Informative

OSX ships XFree86 4.3.0, which is not vulnerable.

--
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Missing the point..... by TheDukePatio · 2006-05-02 11:38 · Score: 5, Interesting

I see a ton of comments mod'd Funny, but what I'm surprised folks haven't focused on yet is the fact that it was found in OSS. The reason they're able to find, report, and get it fixed in a week is the fact that it's OSS. It's understandable that the DoHS is going to want to do a security audit on things like this.
I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.

--
To Alcohol! The cause of, and solution to, all of life's problems.
1. Re:Missing the point..... by ipfwadm · 2006-05-02 14:33 · Score: 4, Interesting
  
  On the other hand, because its OSS now all of the machines that remain unpatched have an exploit that is not only known, but but publicized by the developer, with diffs showing *exactly* what line of code the error is on.
  
  While I hate to sound like all the other OSS apologists that have posted so far ("yeah there's an exploit, but think of how many we could find if we could run it on the Windows source!" and other such tripe that ignores the fact that a serious bug was found in OSS software), your argument is a bunch of crap. You're basically saying that exploits in closed-source software are unknown and unpublicized, which is ridiculous.
  
  As for your Apache example, it would be just as simple to see what version of IIS a machine is running and look through MS KB to find the known exploits against it. Or look at bugtraq. Or anywhere else on the Internet. Just because the source is a secret doesn't mean the details of the available exploits are too.
  
  Oh and knowing the line of source code on which that the error exists is entirely irrelevant to the discussion -- having that knowledge doesn't make using an exploit any easier or more difficult. It may assist in developing new exploits, but when attempting to use one that has been found, that knowledge is superfluous.
Wow. Homeland Security.... by tomq123 · 2006-05-02 12:00 · Score: 5, Funny

is getting close to being able to do what they portray on 24.

Jack: I'm running out of time. I need that salelite image.
Chloe: I opened a socket into a NASA server and retasking the satelite.
Jack: Great, download the image to my PDA.
Chloe: I need your IP address.
Jack: 1.2.123.129
Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
Jack: I've got it. Thanks Chloe.
Chloe: Whatever...
UIDs by r00t · 2006-05-02 12:23 · Score: 5, Informative

The effective UID (euid) is changed when you run a setuid app, while the real UID (uid in this case, or ruid) is not.

The effective UID is normally associated with permission to access files. Well, Linux actually uses the filesystem UID (fsuid or fuid) for that, but that one nearly always tracks the effective UID for compatibility.

There is also a saved UID (suid or svuid) that is helpful for apps that need to swap UIDs back and forth. It's not used for anything else.
the usual confusion by penguin-collective · 2006-05-02 13:05 · Score: 5, Insightful

There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.

It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.
Critique... by jd · 2006-05-02 15:54 · Score: 4, Interesting
1. Knowing the line won't help you figure out the exploit
2. Whether anyone tells you about a bug or not, you're always capable of scanning source - or even binaries - in search of unknown exploits
3. You knowing about a bug doesn't alter the odds of "Them" knowing about a bug - it only alters the odds of you fixing it
4. X11 bugs are rarely externally exploitable, as not many people run X sessions over the public internet and therefore those ports will be blocked at the corporate (or personal) firewall
5. The mathematical model of conflict ("Game Theory") only has a solution (ie: win no matter what the opponent does) when both sides know absolutely everything, ergo the only way to establish a sane IT security policy is to assume the attacker knows all the defects and exploits that exist, whether they are published or not
That last one makes things tough. How can you have security when everything is known? Well, in practice that is the only context security is even possible. "Security through obscurity" really means "we don't know what our opponents know and we're not even sure what we know". If, however, you assume that your opponents know everything then you don't take shortcuts. You plan for contingencies, you have fallback positions, you have not just a plan but a roadmap of possibilities and how to deal with them.

(At least, for any scenario too complex to actually have a complete solution for. For simpler problems, such as a chess puzzle or - for the past decade - the entire game of draughts, it is possible to map a complete, guaranteed winning strategy that will work no matter what the opponent does. Such a solution exists for the complete game of Chess and indeed for the complete game of Go, but has not yet been found. For any given computer system, such a solution must also exist for the operator/admin, but the chief problem has always been to get them to bother even putting the bits of solution that are known in place.)
--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)