Geek Answers Handbook

An old flaw in the X Window System. How it works?

Today I read an article that mentioned the following:

"We found a lot of bugs in the year. One of the best in the X Window System:

if(getuid() != 0 && geteuid == 0) { ErrorF("Only root"); exit(1); }

This allows any local user to gain root access. (The tutological check geteuid == 0 should have been geteuid () == 0. In its current form, it compresses the geteuid address to 0; that the function exists, its address is never 0).

The article explains what was wrong with the code, but I would like to know what it means to say that "it allowed any local user to get root access." I'm not an expert in C, but can someone give me the exact context in which this exploit will work? In particular, I mean, let's say, I'm a local user, how would I get root access if we assume that this code is present somewhere?

For anyone interested in reading the full article, here is the link:

A few lines of code from the amount later: using static analysis to look for errors in the real world

+6
c security unix static-analysis
source share
4 answers

The article implies that the code after if , which was to be executed only if it was verified that the user was root, could indeed be executed by someone. To use it, you are looking for a branch in the code in which the test is used to verify the identity of the user (which the article does not provide responsibly: you need to work a little), and you agree that this will be performed.

"allowed to get root access" is an ellipsis that describes what happens after if in the source code. This is not particularly relevant to the test, because it describes what happens after it.

In other words, the test itself does not make you root. The code then makes you root. Also, keep in mind that server X often needs to be installed with the owner of the root and setuid bit set , which is why erroneous logic in its code is dangerous.

This is not a question about C. This is a question about the Unix security model, which is terribly binary (especially in older implementations): you have to be root to do something, so the number of programs has root and setuid bits (a bit of a caricature).

+5
source share

How you get access is directly tied to where this flaw is in the code.

If you knew exactly where this code is, you could study the code paths that could lead you to this line of code, and then after studying the consequences of this code, do something to use the erroneous security level check.

Nevertheless; this particular test seems rather difficult to use. Everything that he does (incorrectly) checks for root access, and if the user does not have it, then forget the error condition.

The following code should be checked to verify that non-root users can execute the code.

+2
source share

I think this means that the root access check was not correct and the root level processing continued. How you may have escalated is not clear in this.

0
source share

The check geteuid == 0 always incorrect, since geteuid is the name of the function, and in this context it evaluates a pointer that is not NULL. This should be geteuid() == 0 . Pay attention to the brackets.

0
source share

More articles:


All Articles