Slashdot Mirror
Trivial Bug In X.Org Server Gives Root Permissions On Linux, BSD Systems (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.
An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.
An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.
In other words, not much risk on single-user systems where the primary user is also the administrator. Recall that for decades the Windows default user had administrative privileges by design, without needing either sudo or a privilege escalation bug.
I am confused. Do those distros run X in root or wheel? I don't remember having to do this.
And are they saying other systems do app level sandboxing and prevent system level applications from writing wherever they like?
Your comment is funnier than you think since logind which part of the systemd project allows for X.Org to run rootless which completely avoid this very issue.
Xouvert, Wayland, Y, DirectFB, SVGAlib, Fbdev, Mir, NeWS and so many others have failed to break the X curse on Linux.
For starters, it doesn't ship your data to India or erase it
It's not about having Xorg being run as root (which is probably the case if you run an X display manager), but about the ability for a user to launch Xorg with root privileges (with the setuid bit).
On my Debian stretch, Xorg is not setuid, so there's no privilege escalation.
FTFA:
As a temporary solution, users can disable the Xorg binary by running the following command: /usr/X11R6/bin/Xorg
chmod u-s
Seriously, that guy is an idiot. Obviously doesn't understand what's a setuid bit and copy/pasting command lines as if it they were magic spells.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
I don't even get what the big problems are at this point. Five years ago there was a laundry list but everybody expected it to be default three years ago.
This is a problem because everybody knows X11 ain't no good anymore but nobody is fixing it because Wayland (nee "x12") is the fix.
Can somebody describe or link some current info here?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The X server, the software that runs on the local host, needs local root privileges to communicate directly with the graphics chipsets. So yes, the "/usr/bin/X" program typically runs as the root user.
BleepingComputer is great, but that's one sloppy headline.
A bug may be "trivial to exploit" (as in the summary), or it may be "trivial" because it is harmless. A "trivial bug" does not grant root.
The Daddy casts sleep on the Baby. The Baby resists!
The X server doesn't need direct access to the "graphics chipsets" (eg. the GPU). It is designed to run over network connections.
You've got it backwards, probably because of the unfortunate and counter-intuitive terminology they use.
The X server shows the graphics on the local terminal (which is usually the "client" hardware), and the X client is the interface used by the software application that can be running remotely (which is often on the "server" hardware). So the X server does need to access the GPU.
Despite massive advances in security and security models, certain popular hardware conspicuously requires drivers that subvert the security model by still requiring Xorg to be run as root. Want to take a guess as to whose driver is the primary culprit here?
I'll give you a hint. It starts with N and ends with Vidia.
Depends, if you use xenodm on OpenBSD X runs as ID _x11 not root. If you use startx, it runs as root. I wonder if on Linux you use a display manager X may runs under another ID.
Not surprised the terminology is backwards. The majority of Open Sores stuff is incredibly ass backwards
Absolutely not backwards. It's serving resources and makes perfect sense for clients to request those resources.
Nevertheless, they should have avoided the terms "server" and "client" altogether because they are so strongly associated with types of hardware. Having the server run on client hardware and the client run on server hardware is just damned confusing.
I've known this factoid for decades, and I still have to stop and sort it out in my head it every time I see the term "X server". The only people who would think that this is "obvious" would be dedicated GUI developers, which is probably about 0.01% of the user base.
They should have used less loaded terms, maybe something more along the lines of "sender" and "displayer".
Thread over. rootless X has been around longer than this bug
Login to your OpenBSD 6.4 box and:
# syspatch
Get/Verify syspatch64-001_xserver... 100% |***************| 1227 KB 00:00
Installing patch 001_xserver
There. All fixed now.
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
Having the server run on client hardware and the client run on server hardware is just damned confusing.
X applications don't and generally haven't run on this 'server' hardware you speak of. Even way back in the era of X Terminals the machine an X application was run on was more likely in a peering relationship.
This is a problem because everybody knows X11 ain't no good anymore but nobody is fixing it because Wayland (nee "x12") is the fix.
I'm going to disagree. X11 has its problems, but it's still plenty good and many of rely on it daily (using it right now in fact). It does everything I need so I don't see a big need to change. I'm sure others care more because they have different needs.
That being said, I'm trying to keep an open mind about Wayland to see what it's really like when it finally becomes mature enough; but I don't believe I truly need it so I'm not anticipating it and it can come when it's good and ready.
Whatever. Today, the client usually runs on the client hardware. Sometimes it runs on "peer" hardware. Sometimes it runs on server hardware. The server always runs on client hardware.
No matter what, it's a stupid ball of confusing terminology.
...something more along the lines of "sender" and "displayer".
It's Unix and open source. Naming things badly is a defacto requirement.
"I have only been able to come up with one algorithm for creating Unix command names: think of a good English word to describe what you want to do, then think of an obscure near- or partial-synonym, throw away all the vowels, arbitrarily shorten what's left, and then, finally, as a sop to the literate programmer, maybe reinsert one of the missing vowels."
-- Rachael Padman
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
It's not 'stupid' just because you mistakenly think you know what it means.
"Not surprised the terminology is backwards. The majority of Open Sores stuff is incredibly ass backwards"
I believe this terminology pre-dates open-source X implementations, and is used by all proprietary X implementations.
Try harder next time you try and troll ...
I must know, what is everyone doing remotely that they need X?
Only the State obtains its revenue by coercion. - Murray Rothbard
There's a lot of overblown complaints about X, either form people very ignorant or with an axe to grind. Often the complaints are about old things for which there are more modern API calls, but because X calls them extensions (API wasn't a common term in 1987) people flip their shit.
X certainly isn't prefect, it's warty in places but very battle tested and does a lot. Often half the features aren't interesting to someone, so the supposed replacements don't implement them, but it turns out not everyone's use case is the same.
SJW n. One who posts facts.
This is extremely useful to me. You can, log into a remote computer to use special software, or attached hardware, etc.. You can sit next to an arbitrary colleague and log into your computer showing some stuff or use the computer in the conference room to log into your computer running which runs some simulation and demonstrate live it in a presentation. It is just sad it is not supported more with moving windows or reconnecting which are both supported by X in the underlying protocol (I know I implemented proof-of-principle apps which do this, so please don't argue this would be impossible with X).
recompiling the X.org server in #t2sde Linux; https://www.youtube.com/watch?... ;-)
The other problem is that doesn't solve any real problem but takes a away features. A lot of people where misled to believe that here a huge performance gains or other advantages to be gained from switching away from X. But those are mostly based on myths on how about X works (e.g. the idea that extensions unused by modern apps somehow constrain them). Of course, Wayland just reimplements a small subset of X in a very similar way, so performance is essentially the same.
they should have avoided the terms "server" and "client" altogether because they are so strongly associated with types of hardware
Sounds like you need to broaden your horizons a bit. "Server" describes a pattern of processing data, whether hardware or software. It is well established and well understood terminology, regardless of your particular preconception.
When all you have is a hammer, every problem starts to look like a thumb.
It's not backwards if you accept the simple fact that the server is the software part which have multiple clients and will render the result onto hardware whereas it's clients are all the programs which want to draw something.
Skynet becomes self-aware at 02:14 am Eastern Time after its activation on August 4, 1997 and spends the rest of eternity pitting arguments for and against the X server/client terminology.
If you have something actively highlighted, middle-click (or both bottons clicked) will paste that highlighted text. If you've copied something using ctrl-c, ctrl-v will paste that copied text. If that copied text is different from something else subsequently highlighted, ctrl-v and middle click will have different results. Something I find useful when I need to paste different things in different places w/o copying them multiple times
Like MS could have fixed having to include C: in filename-paths?
Sometimes unfortunate design-choices can have a long life. You're faced with the dilemma of being backward-compliant, or tearing everything out and starting over. Usually the best approach is somewhere in between these extremes.
Open-source owes much of its success to embracing unix, with all of its warts. I think of it in the same way Winston Churchill thought of democracy, as the worst possible operating system, with the exception of all others that have been tried and discarded.
If it weren't for deadlines, nothing would be late.
Unix commands have been described as digestive noises, and a boon to two-finger typists. But the best explanation I have heard as to why they are so short and cryptic is that teletype terminals in the 1970s (when unix was developed) were slow, with keys that took some effort to press down. Reducing the number of characters you needed to type was helpful.
As unix moved onto CRT terminals with lighter-action keyboards, commands gradually got a bit longer. And sometimes improved commands got whimsical names, such as more evolving to less, and an improved man command being called woman.
Grudgingly, I must admit The Unix-Haters Handbook got it right:
A century ago, fast typists were jamming their keyboards, so engineers designed the QWERTY keyboard to slow them down. Computer keyboards don’t jam, but we’re still living with QWERTY today. A century from now, the world will still be living with rm.
If it weren't for deadlines, nothing would be late.
Thanks for taking the time to discuss this topic. it really helpful to the user. Recently I bought a new laptop having window 10 and when i tried to connect my laptop to the printer it shows error then i decided to take assistance from Printer in Error State team through https://www.canonprintersuppor... and I took. They assisted me perfectly to resolved my issues. so, anybody facing any type of issues they can go through the same.