Homeland Security Uncovers Critical Flaw in X11 517
Amy's Robot writes "An open-source security audit program funded by the U.S. Department of
Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.
OpenBSD fixed on Jan. 21, 2000 (Score:4, Informative)
Re:OpenBSD fixed on Jan. 21, 2000 (Score:2)
Re:OpenBSD fixed on Jan. 21, 2000 (Score:5, Informative)
FYI, they do often send the cleaned version back to the codes maintainers, but they can't force them to use the re-arranged code, or port it to other systems. Sorry.
Re:OpenBSD fixed on Jan. 21, 2000 (Score:5, Funny)
That is one brilliant policy! Kudos to whomever implemented that!
It reminds of an incedent about 12 years ago. A bunch of us entry level programmers were sitting around and this one guy pipes up and says "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read. I just shook my head and said, "If there's a bug in that code, and I get assigned to it, I'm coming for you!"
Re:OpenBSD fixed on Jan. 21, 2000 (Score:5, Interesting)
That reminds me of the Kernighan quote, which I heartily agree with:
Re:OpenBSD fixed on Jan. 21, 2000 (Score:5, Insightful)
Funny, and almost right.
Put all your brains, but half of your cleverness into coding.
IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.
I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.
Re:OpenBSD fixed on Jan. 21, 2000 (Score:3, Insightful)
And the collorary to that: If you are (trying to be) clever, leave comments about what you're doing. Whoever might have to review/fix your code will greatly appriciate it. Remember, that person might be YOU. While I still try to be clever a little too often, it makes it incredibly much easier to fix.
Re:OpenBSD fixed on Jan. 21, 2000 (Score:3, Informative)
HTH. Cheers.
Re:OpenBSD fixed on Jan. 21, 2000 (Score:5, Funny)
More specifically, March 10th of 2006. Seven weeks ago.
Best part was the CVS log:
Re:OpenBSD fixed on Jan. 21, 2000 (Score:3, Insightful)
Related news (Score:5, Funny)
Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".
Re:Related news (Score:5, Funny)
Re:Related news (Score:5, Interesting)
It all depends... (Score:3, Funny)
Have you paid your Moses Fee?
(let my packets go....) [as sung to 'let my people go']
Re:Related news (Score:3, Funny)
(that's the job of Congress and industry trade groups)
Re:Related news (Score:3, Insightful)
Re:Related news (Score:3, Funny)
$#$#%... [signal lost]
Re:Related news (Score:4, Insightful)
Re:Related news (Score:5, Funny)
Re:Related news (Score:5, Informative)
You're misinterpreting what the problem was. It was a change from this:
if (getuid() == 0 || geteuid != 0)
to this:
if (getuid() == 0 || geteuid() != 0)
Re:Related news (Score:5, Insightful)
You're misinterpreting what the problem was. It was a change from this:
if (getuid() == 0 || geteuid != 0)
to this:
if (getuid() == 0 || geteuid() != 0)
This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.
(And yes, gcc will throw a warning if you compare a function pointer with 0 instead of NULL)
Re:Related news (Score:5, Funny)
It drives me nuts too. That's why i use the -fsyntax-only option whenever I compile anything. It gets rid of the warnings so you know your code is safe!
Re:Related news (Score:3, Informative)
I don't know about ANSI, but ISO/IEC 9899:1999(E) (a.k.a. "C99"), under section 7.17 "Common definitions <stddef.h>" states:
Under section 6.3.2.3 "Pointers", the "null po
Re:Caution: Sometimes 0 != NULL (Score:3, Informative)
You need a better compiler.
Re:Related news (Score:3, Insightful)
Re:Related news (Score:3, Insightful)
I think you owe the GP an apology.
UIDs (Score:5, Informative)
The effective UID is normally associated with permission to access files. Well, Linux actually uses the filesystem UID (fsuid or fuid) for that, but that one nearly always tracks the effective UID for compatibility.
There is also a saved UID (suid or svuid) that is helpful for apps that need to swap UIDs back and forth. It's not used for anything else.
Re:Related news (Score:3, Funny)
I just saw a story.. (Score:3, Funny)
Re:Related news (Score:4, Funny)
No, no, that's a flaw in X10, not X11. That missing remote behaviour is an undocumented feature.
Only one? (Score:3, Interesting)
Re:Only one? (Score:4, Funny)
Only one that they are telling us about...
Way to go, boys! (Score:5, Funny)
Re:Way to go, boys! (Score:2)
Another score for open source! (Score:3, Insightful)
(And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)
Re:Another score for open source! (Score:3, Funny)
Excluding Outlook Express I guess.
Re: (Score:3, Funny)
Any word on the fix? (Score:5, Funny)
A missing parentheses in a bit of code is to blame...the flaw has already been corrected.
Any word on exactly what the fix was?
Re:Any word on the fix? (Score:2)
Re:Any word on the fix? (Score:5, Funny)
Re:Any word on the fix? (Score:2)
How do you know they didn't just remove the match-less parenthesis instead?
Re:Any word on the fix? (Score:4, Funny)
Re:Any word on the fix? (Score:5, Informative)
http://xorg.freedesktop.org/releases/X11R7.0/patc
http://lists.freedesktop.org/archives/xorg/2006-M
Success (Score:3, Funny)
I wonder (Score:3, Funny)
Re:I wonder (Score:4, Funny)
> by reading the binary or by utilizing a machine-coded matrix?
I don't know, but I bet Chloe O'Brian is lurking nearby. And she's probably scowling.
watch out for their patches, though (Score:5, Funny)
OS X? (Score:4, Interesting)
Re:OS X? (Score:5, Informative)
Easy (Score:3, Funny)
Advisory (Score:2, Insightful)
Crap. (Score:2)
Re:Crap. (Score:2)
Not Quite (Score:5, Funny)
Actually, it was not a missing parenthesis, but a missing parenthetical.
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true);
And the patched code:
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true); (just kidding!)
Missing *pair* of parentheses (Score:5, Informative)
This results in making use of the function address rather than the return value of the function, which could cause difficulties.
Re:Missing *pair* of parentheses (Score:3, Informative)
gcc 3.4.3 says all is fine. You can make it complain if you change geteuid != 0 to !geteuid - then it points out "warning: the address of `geteuid', will always evaluate as `true'"
This is not a remote root vunerability (Score:5, Insightful)
Re:This is not a remote root vunerability (Score:3, Insightful)
AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf. I'm not aware of any distro that does that by default, and the Xconf "sample" that comes with XFree86 or Xorg both have remote logins disabled.
I realize that it's too much too assume that anyone geek enough to enable remote X sessions is also geek enough to protect his system adequately, but most of the time that will be the case.
Re:This is not a remote root vunerability (Score:4, Informative)
Missing the point..... (Score:5, Interesting)
I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.
Re:Missing the point..... (Score:5, Interesting)
While I hate to sound like all the other OSS apologists that have posted so far ("yeah there's an exploit, but think of how many we could find if we could run it on the Windows source!" and other such tripe that ignores the fact that a serious bug was found in OSS software), your argument is a bunch of crap. You're basically saying that exploits in closed-source software are unknown and unpublicized, which is ridiculous.
As for your Apache example, it would be just as simple to see what version of IIS a machine is running and look through MS KB to find the known exploits against it. Or look at bugtraq. Or anywhere else on the Internet. Just because the source is a secret doesn't mean the details of the available exploits are too.
Oh and knowing the line of source code on which that the error exists is entirely irrelevant to the discussion -- having that knowledge doesn't make using an exploit any easier or more difficult. It may assist in developing new exploits, but when attempting to use one that has been found, that knowledge is superfluous.
Critique... (Score:5, Interesting)
That last one makes things tough. How can you have security when everything is known? Well, in practice that is the only context security is even possible. "Security through obscurity" really means "we don't know what our opponents know and we're not even sure what we know". If, however, you assume that your opponents know everything then you don't take shortcuts. You plan for contingencies, you have fallback positions, you have not just a plan but a roadmap of possibilities and how to deal with them.
(At least, for any scenario too complex to actually have a complete solution for. For simpler problems, such as a chess puzzle or - for the past decade - the entire game of draughts, it is possible to map a complete, guaranteed winning strategy that will work no matter what the opponent does. Such a solution exists for the complete game of Chess and indeed for the complete game of Go, but has not yet been found. For any given computer system, such a solution must also exist for the operator/admin, but the chief problem has always been to get them to bother even putting the bits of solution that are known in place.)
Wow. Homeland Security.... (Score:5, Funny)
Jack: I'm running out of time. I need that salelite image.
Chloe: I opened a socket into a NASA server and retasking the satelite.
Jack: Great, download the image to my PDA.
Chloe: I need your IP address.
Jack: 1.2.123.129
Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
Jack: I've got it. Thanks Chloe.
Chloe: Whatever...
Where was the warning? (Score:3, Interesting)
the usual confusion (Score:5, Insightful)
It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.
seriously? (Score:3, Insightful)
And even those window servers are compiled from sources derived from the reference sources, with patches.
Do you actually know of any implementations of X other than the two you
Re:the usual confusion (Score:3, Insightful)
The name 'X11' effectively refers to a code base because the 'sample implementation', which was extended for specific hardware by XFree86 and X.org, is the basis of almost all X Servers in existance. For example, Sun and HP both ship their own X Servers, but the base upon which they implemented their device-depen
Mac OS X Tiger (Score:3, Interesting)
Re:Mac OS X Tiger (Score:3, Interesting)
https://bugs.freedesktop.org/show_bug.cgi?id=6213 [freedesktop.org]
Difference (Score:3, Interesting)
Critical vulnerability in X11, missing parens are to blame, report: "missing parens in code leaves X11 vulnerable, the problem is fixed."
--vs--
Critical vulnerability in Windows, missing parens are to blame (but that's under NDA), report: "the incompetent programmers of the Redmont monopolist did it again, your Windows is totally open to hackers due to a bad, bad vulnerability. While we're on this, let's discuss also how OSX and Linux are infinitely cooler than Windows will ever be, and how Windows users are clueless idiots."
Re:Here is the actual flaw: (Score:2, Funny)
(X11 sucks monkey cock
Re:Already Corrected? (Score:5, Insightful)
Re:Already Corrected? (Score:5, Funny)
Re:Already Corrected? (Score:3, Insightful)
Re:Already Corrected? (Score:2)
Your servers are running X? What for?
Re:Already Corrected? (Score:2)
Re:Already Corrected? (Score:4, Insightful)
Re:Already Corrected? (Score:2)
Re:Already Corrected? (Score:2)
Re:Already Corrected? (Score:2)
Oracle installation runs as an X11 client, and requires that only the client libraries be installed. The X11 server runs on the administrator's desktop.
Of course, TFA doesn't bother to explain if the hole is in the server or the client libraries. I'm assuming they mean the server, but who the hell knows?
Agree with the sentiment, but.... (Score:3, Insightful)
Why? (Score:3, Informative)
Re:Already Corrected? (Score:2)
*triggered*! Doing: ssh foo;su -;apt-get update;apt-get dist-upgrade; ssh bar...
What auto-update services were you talking about, again?
As restarting most daemons is likely to cause disruption, you can't do this without thinking; thus, fully automatic updates are a bad idea unless the users are mindless. As servers are not operated by monkeys but by people who are *supposed* to have a clue, notification is a must, but actually applying the update shouldn't be done as a cronjob.
Only 6.9 and 7.0 (Score:2)
As this only affects 6.9 and 7.0 (RTFM), you'd need some form of auto-update to actually be exposed. Most distroes are still at 6.8.
M.
Re:Only 6.9 and 7.0 (Score:2)
... or Article, whatever suits you...
I sure whish I could edit my own posts sometimes.
M.
Re:Already Corrected? (Score:2)
Its Linux we're talking about.
It might upgrade X11 though - but thats a good thing.
Re:Already Corrected? (Score:4, Funny)
Yes.
Re:Sometimes gentoo is a pain. (Score:5, Insightful)
Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.
It took some digging to find the actual advisory:
http://lists.freedesktop.org/archives/xorg/2006-M
Re:Sometimes gentoo is a pain. (Score:3, Informative)
If you're running ~x86, then you've got the vulnerable version. It's a local exploit, one that is trivially simple for an experienced programmer to use.
Re:Sometimes gentoo is a pain. (Score:3, Informative)
Re:So does this mean? (Score:2)
Little known fact... (Score:5, Funny)
The compiler just does what you ask. (Score:5, Informative)
Re:So does this mean? (Score:5, Insightful)
I had a quick look on Coverity's website and this appears to be the relevant line of code:
- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)
In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.
The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.
The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).
Re:So does this mean? (Score:3, Interesting)
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation)
I think we can both agree Python is a higher level language. And guess what:
import os
if os.getuid() != 0 or os.geteuid = 0:
is completely valid. It's not high level vs low level languages here that's at issue. It'
Re:So does this mean? (Score:3, Funny)
So no, it is indeed just a closing paranthesis that is missing. Why exactly that bloke considered this 'seemingly harmless', I don't know though... that is rather like saying "The car crash was caused by something as seemingly harmless as a severed brakeline."
Re:How did it get through? (Score:2)
as in example if(somefunc(foo > 0)) {bar}
it compiles alright and even works, but it really isnt somefunc(foo) > 0 that is getting tested. the mistake is an easy one to make, and most modern languages consider it valid (even java if the func accepts a boolean argument).
i never really understood WHY is the X run as root, write a god damn device wrapper that keeps the device handlers separately in root permissions and keep the X it
Re:How did it get through? (Score:2)
if (((people((wouldstop() == TRUE)(((&& (using_shitty_shortcuts() == FALSE))))))))
{
}
It's possible that something like this may be easier to spot.
And while we're at it, start using your curly braces correctly as well.
Re:Should have written it in Lisp! (Score:2)
That is used as test each semester for MIT students. So, if it were available on the web, then it would remove an afternoons work.
Re:I don't understand the intention of the fixed c (Score:4, Insightful)