‘Several X windows vulnerabilities allow users to change permission of system files’

Summary

‘An XFS (X windows font server) vulnerability on XFree 3.3.3 allows users to change permission of system files to world readable. Another vulnerability of the XFree86 server itself also allows doing the same. This, for example, allows a local user to change the permissions of the /etc/shadow file to world-readable.’

Credit:

‘To avoid the XFS exploit, do not run xfs as root. To avoid the X windows exploit, create a /tmp/.x11-unix directory with the appropriate permissions.
The XFS vulnerability was found by: Lukasz Trabinski

For the latest version of XFree 86: http://www.xfree86.org/


Details

‘The XFS exploit is done by creating a /tmp/.font-unix file, linking it to the target file and waiting for the administrator (root) to start xfs. As soon as a user with enough permission (usually root) runs XFS, the permission of the file will be set to full access (world read/write).
The X server exploit is similar, using the file /tmp/.X11-unix. In this case, however, if the file already exists, this vulnerability cannot be exploited. ‘

Categories: Exploits