Homeland Security Uncovers Critical Flaw in X11

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

Already Corrected?

[mythosaz]

Already corrected on what?

Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?

Oh sure, I'm trolling - but the point is this ISN'T updated on machines around the world. It's updated on a few machines that HAVE some sort of auto-update service (of which many required a fee with your "enterprise service license") and it may or may not be updated when you install a new machine.

I know *MY* servers aren't updated...yet.

Re:Already Corrected?

[Vyvyan Basterd]

Why are you running X11 on your servers?

Advisory

[Anonymous Coward]

If you're wondering, here is the relevant SUSE security advisory from 21.3 - http://www.novell.com/linux/security/advisories/20 06_16_xorgx11server.html [novell.com]

Re:Already Corrected?

[wobblie]

uh, you display it somewhere else.

Re:Related news

[Bush Pig]

What I'd really like to know is how come the code even compiled if it was missing a closing parenthesis somewhere. None of mine ever does in that circumstance.

Re:So does this mean?

[AtomicX]

In most cases the compiler will catch errors caused by typos and omissions, but it is perfectly possible to write code containing typos or missing characters which are still valid.

I had a quick look on Coverity's website and this appears to be the relevant line of code:

- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)

In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.

The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.

The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).

Re:Sometimes gentoo is a pain.

[Anonymous Coward]

The impression I get is that it shouldn't be easily exploitable. By default, Gentoo (and any sensible distro) configures X11 to disable remote connections. Also, you should have some sort of firewall blocking the relevant ports anyway. If it is really exploitable, the attacker would probably need access to the machine anyway (at which point, you're largely already screwed).

Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.

It took some digging to find the actual advisory:

http://lists.freedesktop.org/archives/xorg/2006-Ma y/015136.html [freedesktop.org]

Re:Already Corrected?

[nagora]

Servers should NOT be running X servers.

That's gonna ruin someone's LTS system.

TWW

This is not a remote root vunerability

[Technician]

Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)

Re:Related news

[fbjon]

It's not always matching because getuid != geteuid.

Re:Related news

[nuzak]

http://xorg.freedesktop.org/releases/X11R7.0/patch es/xorg-server-1.0.1-geteuid.diff [freedesktop.org]

I think you owe the GP an apology.

Another score for open source!

[MoxFulder]

The advantage of open source shines through once again! This couldn't have happened with MS Windows, that's for sure... without access to the source code, this bug couldn't have been discovered, let alone fixed so quickly.

(And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)

Re:This is not a remote root vunerability

[tokabola]

AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf. I'm not aware of any distro that does that by default, and the Xconf "sample" that comes with XFree86 or Xorg both have remote logins disabled.

I realize that it's too much too assume that anyone geek enough to enable remote X sessions is also geek enough to protect his system adequately, but most of the time that will be the case.

Re:Related news

[prockcore]

You're misinterpreting what the problem was. It was a change from this:

if (getuid() == 0 || geteuid != 0)

to this:

if (getuid() == 0 || geteuid() != 0)


This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.

(And yes, gcc will throw a warning if you compare a function pointer with 0 instead of NULL)

Re:Already Corrected?

[cortana]

In which case it won't be running the X server, which is the program in which this flaw resides. :)

the usual confusion

[penguin-collective]

There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.

It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.

Re:Related news

[Anpheus]

They can only make your decisions for you when you use an unencrypted method of communication.

I don't understand the intention of the fixed code

[gfim]

The fixed code is

if (getuid() == 0 || geteuid() != 0) do something that only root can do

What is the intention of this test? Allow something to be done if the real user id is zero (i.e. it is root logged in) or if the effective user id is not zero (i.e. if the program is running as setuid to somebody other than root). That doesn't make a lot of sense to me.

Re:I don't understand the intention of the fixed c

[acoopersmith]

It's in code that allows you to do things like load code modules from other paths, so it's only allowed if you're already root or not running setuid-root. (It should probably check that you're not running setuid at all, but there's no real point having Xorg setuid to anyone but root, so no one has added that check.)

Re:OpenBSD fixed on Jan. 21, 2000

[93 Escort Wagon]

Fri Mar 10 17:29:51 2006 UTC (7 weeks, 4 days ago) by deraadt:
proper geteuid calls because suse hires people who mistype things

Incidentally, this also confirms most non-BSDers' opinion of Theo.

Re:Related news

[HeroreV]

So one function returns 0 when successful, while the other returns 0 when unsuccessful? What the hell is going on here?

Not even considering the bug, that's some pretty horrific coding. Is all of X written this poorly?

Agree with the sentiment, but....

[Junta]

Unfortunately, the distros compete with the likes of Windows. As such, though technically speaking X on a multi-user system of any remote importance is a bad idea, if you shrug off X on servers Windows administrators may not like it as much. Install Red Hat or SuSE server oriented distributions and by default you still end up with a X environment. Good administrators know not to run X and it is powerful and even more convenient to run X apps remotely or inside a detachable VNC session. For small business to medium business/departmental servers, expect X servers to be the norm in the enterprise despite best practice.

The obvious solution is X not as root, so the worst you can do is screw around with the devices X really needs access to (screw around with the graphics, and local input devices, but an administrator can still ssh and have an intact, secure system in the ways that matter)

Re:OpenBSD fixed on Jan. 21, 2000

[Alioth]

The truth sometimes hurts. Theo de Raadt just doesn't dress it up. I wouldn't hire Theo as a diplomat (well, not unless I wanted to actually start a war), but I would hire him as someone who can write secure code. I don't care if he has no social skills; I'm after secure code. That's why we use OpenBSD for security critical things.

Re:OpenBSD fixed on Jan. 21, 2000

[Nutria]

Then if I want to do my own debugging, I should only put half my effort into coding!

Funny, and almost right.

Put all your brains, but half of your cleverness into coding.

IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.

I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.

Re:OpenBSD fixed on Jan. 21, 2000

[Kjella]

IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.

And the collorary to that: If you are (trying to be) clever, leave comments about what you're doing. Whoever might have to review/fix your code will greatly appriciate it. Remember, that person might be YOU. While I still try to be clever a little too often, it makes it incredibly much easier to fix.

seriously?

[YesIAmAScript]

In concept, there is a separate protocol and implementation of X. But the source has been available under a very permissive license since the very beginning. Because of this, the only thing I've ever seen that was reimplemented was the server (window server), everything else has just been compiled directly from the reference sources.

And even those window servers are compiled from sources derived from the reference sources, with patches.

Do you actually know of any implementations of X other than the two you mentioned? I tried to search for some and couldn't find any.

Re:the usual confusion

[haroldhunt]

Uhh... coming from someone with 5 years of experience in the X Window System, your statement that X11 refers to a protocol and not a codebase is overly pedantic and not truly reflective of reality.

The name 'X11' effectively refers to a code base because the 'sample implementation', which was extended for specific hardware by XFree86 and X.org, is the basis of almost all X Servers in existance. For example, Sun and HP both ship their own X Servers, but the base upon which they implemented their device-dependent code for specific video cards and input devices. Free X servers for Windows and Mac OS X both use the sample implementation (X.org to be specific). Commercial X Servers for Windows all seem to use the sample implementation as well. The only non-sample implementation X Server that I know of is WeirdX, an X Server written entirely in Java, which implies that everything would have to have been rewritten.

Harold