Re: XFree86 vulnerability exploit

To: Bender <bender2@xxxxxxxxxxxxxxxx>
Subject: Re: XFree86 vulnerability exploit
From: Adam Langley <agl@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Feb 2004 11:36:46 +0000
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20040211110900.GA7611@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: Adam Langley <agl@xxxxxxxxxxxxxxxxxx>, Bender <bender2@xxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040211110900.GA7611@xxxxxxxxxxxxxxxx>
Sender: Adam Guy Langley <agl02@xxxxxxxxxxxx>
User-agent: Mutt/1.4.1i

On Wed, Feb 11, 2004 at 11:09:00AM +0000, Bender wrote:
> Below you can find a exploit for latest bug in XFree86 sofware.
> Tested on some versions of RedHat Linux (mainly 7.0).
> regards
> Bender
> 
>     execle("/usr/bin/X11/X","X",":0","-fp","/tmp",0,envp);

It's worth pointing out that this is still a problem for installations which
do not have a SUID root. (For example, the X server is started by a display
manager which is already root).

If you can send commands to the X server you can:
% xset +fp /path/to/bad/fontdir

Which has the same effect (comfirmed).

-- 
Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60

References:
- XFree86 vulnerability exploit
  - From: Bender

Prev by Date: MDKSA-2004:012 - Updated XFree86 packages fix buffer overflow vulnerabilities
Next by Date: [RHSA-2004:048-01] Updated PWLib packages fix protocol security issues
Previous by thread: XFree86 vulnerability exploit
Next by thread: aimSniff.pl file "deletion" (local)
Index(es):
- Date
- Thread