Slashdot Mirror
Homeland Security Uncovers Critical Flaw in X11
Amy's Robot writes "An open-source security audit program funded by the U.S. Department of
Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.
In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.
Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".
liqbase
Kudos to the heroes who painstakingly reinserted the missing parenthesis!
You see? You see? Your stupid minds! Stupid! Stupid!
A missing parentheses in a bit of code is to blame...the flaw has already been corrected.
Any word on exactly what the fix was?
Wanted: witty unique signature. Must be willing to relocate.
Why are you running X11 on your servers?
Maybe it's an X11 server.
Actually, it was not a missing parenthesis, but a missing parenthetical.
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true);
And the patched code:
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true); (just kidding!)
In most cases the compiler will catch errors caused by typos and omissions, but it is perfectly possible to write code containing typos or missing characters which are still valid.
I had a quick look on Coverity's website and this appears to be the relevant line of code:
- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)
In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.
The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.
The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).
OpenBSD fixes 'security holes' all the time, without even knowing it. If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future. Most of the time when they fix a 'hole', they never actually spotted the hole. They were just cleaning up messy looking code. A few years later (like in this case) it will often turn out that there was a security hole hidden in the mess.
FYI, they do often send the cleaned version back to the codes maintainers, but they can't force them to use the re-arranged code, or port it to other systems. Sorry.
The impression I get is that it shouldn't be easily exploitable. By default, Gentoo (and any sensible distro) configures X11 to disable remote connections. Also, you should have some sort of firewall blocking the relevant ports anyway. If it is really exploitable, the attacker would probably need access to the machine anyway (at which point, you're largely already screwed).
a y/015136.html
Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.
It took some digging to find the actual advisory:
http://lists.freedesktop.org/archives/xorg/2006-M
I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.
To Alcohol! The cause of, and solution to, all of life's problems.
That is one brilliant policy! Kudos to whomever implemented that!
It reminds of an incedent about 12 years ago. A bunch of us entry level programmers were sitting around and this one guy pipes up and says "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read. I just shook my head and said, "If there's a bug in that code, and I get assigned to it, I'm coming for you!"
is getting close to being able to do what they portray on 24.
Jack: I'm running out of time. I need that salelite image.
Chloe: I opened a socket into a NASA server and retasking the satelite.
Jack: Great, download the image to my PDA.
Chloe: I need your IP address.
Jack: 1.2.123.129
Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
Jack: I've got it. Thanks Chloe.
Chloe: Whatever...
More specifically, March 10th of 2006. Seven weeks ago.
Best part was the CVS log:
The effective UID (euid) is changed when you run a setuid app, while the real UID (uid in this case, or ruid) is not.
The effective UID is normally associated with permission to access files. Well, Linux actually uses the filesystem UID (fsuid or fuid) for that, but that one nearly always tracks the effective UID for compatibility.
There is also a saved UID (suid or svuid) that is helpful for apps that need to swap UIDs back and forth. It's not used for anything else.
That reminds me of the Kernighan quote, which I heartily agree with:
"I don't know, therefore Aliens" Wafflebox1
There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.
It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.
Then if I want to do my own debugging, I should only put half my effort into coding!
Funny, and almost right.
Put all your brains, but half of your cleverness into coding.
IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.
I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.
"I don't know, therefore Aliens" Wafflebox1