SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#837857

X.Org server fails to properly test for effective user ID

Overview

A vulnerability in the X.Org server could allow a local attacker to gain administrative privileges or cause a denial of service on an affected system.

I. Description

The X.Org server program provides several command-line options that are meant to be parsed only when the program is running as root. These include -modulepath, which specifies the location from which to load modules providing server functionality, and -logfile, which specifies the location of the server log file. Normally, these options cannot be changed by unprivileged users.

A flaw exists in the way that the server enforces this restriction because it evaluates the address of the geteuid function instead of the result of executing the function (i.e., "geteuid" versus "geteuid()"). This test is flawed because the address of geteuid is guaranteed to be nonzero. As a result, an unprivileged user can load modules from any location on the file system with root privileges or overwrite critical system files with the server log.

II. Impact

If the X.Org server program is setuid to root, as is typically the case, an authenticated local attacker can execute code or overwrite system files with administrative privileges on an affected system.

III. Solution

Apply a patch from the vendor


Patches have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Users who compile the X.Org server from source code or obtain binary releases directly from X.Org are encouraged to take the actions specified in the corresponding X.Org Security Advisory.

Systems Affected

VendorStatusDate NotifiedDate Updated
Fedora ProjectVulnerable24-Jul-2006
Mandriva, Inc.Vulnerable24-Jul-2006
Sun Microsystems, Inc.Vulnerable24-Jul-2006
SUSE LinuxVulnerable24-Jul-2006
X.org FoundationVulnerable24-Jul-2006

References


http://lists.freedesktop.org/archives/xorg/2006-March/013992.html
http://www.securityfocus.com/bid/17169
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:056
http://secunia.com/advisories/19256/
http://secunia.com/advisories/19311/
http://secunia.com/advisories/19316/
http://secunia.com/advisories/19307/
http://www.auscert.org.au/6142
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102252-1
http://www.auscert.org.au/6142

Credit

Thanks to the X.Org Foundation for reporting this vulnerability. They, in turn, credit Coverity with discovering and reporting this vulnerability to them.

This document was written by Chad R Dougherty.

Other Information

Date Public:2006-03-20
Date First Published:2006-08-16
Date Last Updated:2006-08-17
CERT Advisory: 
CVE-ID(s):CVE-2006-0745
NVD-ID(s):CVE-2006-0745
US-CERT Technical Alerts: 
Metric:18.44
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader