Vulnerability Note VU#837857
X.Org server fails to properly test for effective user ID
Overview
A vulnerability in the X.Org server could allow a local attacker to gain administrative privileges or cause a denial of service on an affected system.
Description
The X.Org server program provides several command-line options that are meant to be parsed only when the program is running as root. These include -modulepath, which specifies the location from which to load modules providing server functionality, and -logfile, which specifies the location of the server log file. Normally, these options cannot be changed by unprivileged users. A flaw exists in the way that the server enforces this restriction because it evaluates the address of the geteuid function instead of the result of executing the function (i.e., "geteuid" versus "geteuid()"). This test is flawed because the address of geteuid is guaranteed to be nonzero. As a result, an unprivileged user can load modules from any location on the file system with root privileges or overwrite critical system files with the server log. |
Impact
If the X.Org server program is setuid to root, as is typically the case, an authenticated local attacker can execute code or overwrite system files with administrative privileges on an affected system. |
Solution
Apply a patch from the vendor |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Fedora Project | Affected | - | 24 Jul 2006 |
| Mandriva, Inc. | Affected | - | 24 Jul 2006 |
| Sun Microsystems, Inc. | Affected | - | 24 Jul 2006 |
| SUSE Linux | Affected | - | 24 Jul 2006 |
| X.org Foundation | Affected | - | 24 Jul 2006 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://lists.freedesktop.org/archives/xorg/2006-March/013858.html
- http://www.securityfocus.com/bid/17169
- http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:056
- http://secunia.com/advisories/19256/
- http://secunia.com/advisories/19311/
- http://secunia.com/advisories/19316/
- http://secunia.com/advisories/19307/
- http://www.auscert.org.au/6142
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102252-1
- http://www.auscert.org.au/6142
Credit
Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Coverity with discovering and reporting this vulnerability to them.
This document was written by Chad R Dougherty.
Other Information
- CVE IDs: CVE-2006-0745
- Date Public: 20 Mar 2006
- Date First Published: 16 Aug 2006
- Date Last Updated: 20 Nov 2009
- Severity Metric: 18.44
- Document Revision: 17
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.