Security

This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet

Overwrite arbitrary files? Load arbitrary code? As setuid root? Sure, why not!

By Richard Chirgwin

48 SHARE

X.org, the X Window server used by various desktop Linux and BSD operating systems, has – depending on its configuration – a security vulnerability that can be exploited to gain root powers.

If a vulnerable version of X.org runs on a system as setuid root, it can be abused by normal logged-in users to gain administrator-level control over the machine. That would allow a miscreant to tamper with files, install spyware, and so on. Some Linux distros don't use X.org with elevated privileges, or are otherwise immune – such as CentOS; check for security updates anyway.

Specifically, the flaw, designated CVE-2018-14665, can be exploited to inject user-supplied code into a root-privileged X.org process, via the -modulepath command line switch, or overwrite files on the system, via the -logfile switch. The latter can be used to overwrite the shadow password file on a computer to allow access to the root user without a password.

This Red Hat bug report described it as “an incorrect permission check for -modulepath and -logfile options when starting X.Org," adding: "X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.”

It's trivially exploitable, as Matthew Hickey, cofounder of British security shop Hacker House, tweeted:

cd /etc; Xorg -fp "root::16431:0:99999:7:::"  -logfile shadow  :1;su

This, the tweet explained, will “overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other X.org desktop also affected.”

"The bug is so simple, it's amazing that it slipped through into OpenBSD 6.4: usually the OS is more resilient to such attacks," he told The Register.

"The worst part is this type of bug is a classic 1990s-era mistake: overwriting files requires no complex memory corruption techniques. A few simple commands and you can become root. It's going to be widespread in a lot of places, and as it's so easy to exploit, it will be used quickly by attackers.

"Weaknesses in the desktop components have been a source of privilege escalation attacks for years, but we haven't seen one this trivial to exploit for some time."

X.Org's advisory goes into more detail, and explains why the bug isn't present across all operating system distributions. The bug was introduced in X.Org server 1.19.0, released in November 2016, and discovered by Narendra Shinde.

If you can't patch, there are workarounds: either remove the setuid bit from the X.Org binary, which its developers warn can break systems starting the X Window system using startx or xinit. Alternatively, simply use a display manager to start X sessions.

A two-year-old bug is nowhere near a record for X.Org. Back in 2014, IOActive's Ilja van Sprundel found a 27-year-old bug in the X Window server. ®

Sign up to our NewsletterGet IT in your inbox daily

48 Comments

More from The Register

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

Red Hat Enterprise and CentOS users at risk

Dormant Linux kernel vulnerability finally slayed

Just, er, eight years later

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Docker fave Alpine Linux suffers bug miscreants can exploit to poison containers

Now that's poetic, Justicz: Update apk and images now

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Batten down the ports: Linux networking bug SegmentSmack could remotely crash systems

Patches incoming for kernel versions 4.9 and up

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

German e-government SDK patched against ID spoofing vulnerability

Alice becomes Bob