Bugtraq mailing list archives

X Security problem (?)

From: carlo () RUNAWAY XS4ALL NL (Carlo Wood)
Date: Fri, 14 Nov 1997 02:13:22 +0100


Hi,

        this isn't an exploit - I let others write that ;) (don't
have time for that).

But five minutes ago I found something that might be abused:

On my (RedHat4.2) linux box, I find:

/tmp/.X11-unix/X0=

A UNIX domain socket of the X server I assume.

The permissions are:

drwxrwxrwt   3 root     root         1024 Nov 14 01:38 /tmp/
drwxrwxrwx   2 root     users        1024 Nov 14 01:56 /tmp/.X11-unix/
srwxrwxrwx   1 root     users           0 Nov 13 23:09 X0

So, as any user (I did it as 'nobody'), I can do:

rm /tmp/.X11-unix/X0

After which X doesn't work anymore (can't open a new terminal).

I can also do:

cd /tmp/.X11-unix
mv X0 Y0

(can't open an xterm)

mv Y0 X0

(everything works again).

Now I didn't test the following, but doesn't this mean that I can
- as nobody - mv X0 Y0; open a new X0 socket and start to accept
connections, piping everything to Y0, reading everything people
type, like passwords when they use 'su' ? ...

Carlo Wood

PS This is my first post, so I expect to make a terrible error
   here somehow ;).  If so, I hope the moderator will simply
   refuse the post.

--
 carlo () runaway xs4all nl, Run @ IRC.

 ircd development:  http://www.xs4all.nl/~carlo17/ircd-dev

Current thread:

Re: Cisco IOS password encryption facts, (continued)
- - - Re: Cisco IOS password encryption facts J. Sean Connell (Nov 11)
    - Re: Cisco IOS password encryption facts Michael Degerman (Nov 13)
    - mode of the i586 F0 bug VaX#n8 (Nov 12)
    - Re: mode of the i586 F0 bug Alan Cox (Nov 12)
    - Linux F00F Patch Aleph One (Nov 12)
    - Re: Safe /tmp cleanup Randal Schwartz (Nov 12)
    - Re: Safe /tmp cleanup dsiebert () ICAEN UIOWA EDU (Nov 13)
    - another buffer overrun in sperl5.003 Pavel Kankovsky (Nov 13)
    - Re: Safe /tmp cleanup Valdis Kletnieks (Nov 13)
    - IE4.0 patch Richard Trott (Nov 13)
    - X Security problem (?) Carlo Wood (Nov 13)
    - Re: X Security problem (?) Matthias Buelow (Nov 14)
    - Re: X Security problem (?) Scott Moseman (Nov 14)
    - digital unix 4.0 hole John McDonald (Nov 14)
    - What to do when you forget your cisco LD password... Dustin Sallings (Nov 13)
    - Re: What to do when you forget your cisco LD password... John Bashinski (Nov 14)
    - Re: Safe /tmp cleanup Erik Troan (Nov 13)
    - Linux IP fragment overlap bug G P R (Nov 13)
    - Re: Linux IP fragment overlap bug Alan Cox (Nov 14)
    - Re: Linux IP fragment overlap bug Vadim Kolontsov (Nov 14)
    - Re: Linux IP fragment overlap bug David LeBlanc (Nov 14)

(Thread continues...)