xorl %eax, %eax

XScreenSaver ~/.xscreensaver Information Disclosure

leave a comment »

This was discovered and disclosed by kingcope on 6 July 2009. The vulnerability affects at least XScreenSaver 5.01 release. XScreenSaver is a popular screen saver application developed mainly by Jamie Zawinski. Here is the vulnerable code from 5.01 release.

const char *
init_file_name (void)
{
  static char *file = 0;

  if (!file)
     ...
      else
        {
          const char *home = p->pw_dir;
          const char *name = ".xscreensaver";
          file = (char *) malloc(strlen(home) + strlen(name) + 2);
          strcpy(file, home);
          if (!*home || home[strlen(home)-1] != '/')
            strcat(file, "/");
          strcat(file, name);
        }
    }

  if (file && *file)
    return file;
  else
    return 0;
}

This code can be found at driver/prefs.c. As you can see, here it initializes ~/.xscreensaver. Now, if we have a look when this routine is being called we will see this:

static int
parse_init_file (saver_preferences *p)
{
  time_t write_date = 0;
  const char *name = init_file_name();
  int line = 0;
  struct stat st;
  FILE *in;
  int buf_size = 1024;
  char *buf;
    ...
  in = fopen(name, "r");
    ...
  buf = (char *) malloc(buf_size);

  while (fgets (buf, buf_size-1, in))
    {
    ...
  return 0;
}

As you can see, there is no check if ~/.xscreensaver is a symbolic link. Consequently, a user could gain read access to any file of the system since xscreensaver is installed as a suid root application. Here you can find kingcope’s demonstration of that vulnerability.

Written by xorl

July 15, 2009 at 22:22

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s