Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems

[steven36]

A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment.

 

 

The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

Privilege escalation and arbitrary file overwrite

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files.

 

Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option.

Bug could have been avoided in OpenBSD 6.4

OpenBSD, the free and open-source operating system with a strong focus on security, uses xorg. On October 18, the project released version 6.4 of the OS, affected by CVE-2018-14665. This could have been avoided, though.

 

Theo de Raadt, founder and leader of the OpenBSD project, says that X maintainer knew about the problem since at least October 11. For some reason, the OpenBSD developers received the message one hour before the public announcement this Thursday, a week after their new OS release.

 

"As yet we don't have answers about why our X maintainer (on the X security team) and his team provided information to other projects (some who don't even ship with this new X server) but chose to not give us a heads-up which could have saved all the new 6.4 users a lot of grief," Raadt says.

 

Had OpenBSD developers known about the bug before the release, they could have taken steps to mitigate the problem or delay the launch for a week or two.

 

To remedy the problem, the OpenBSD project provides a source code patch, which requires compiling and rebuilding the X server.

 

As a temporary solution, users can disable the Xorg binary by running the following command:

chmod u-s /usr/X11R6/bin/Xorg 

Trivial exploitation

CVE-2018-14665 does not help compromise systems, but it is useful in the following stages of an attack.

 

Leveraging it after gaining access to a vulnerable machine is fairly easy. Matthew Hickey, co-founder, and head of Hacker House security outfit created and published an exploit, saying that it can be triggered from a remote SSH session.

 

Quote

 

OpenBSD #0day Xorg LPE via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with 3 commands or less. exploit https://t.co/3FqgJPeCvO pic.twitter.com/8HCBXwBj5M

— Hacker Fantastic (@hackerfantastic) October 25, 2018

 

Three hours after the public announcement of the security gap, Daemon Security CEO Michael Shirk replied with one line that overwrote shadow files on the system. Hickey did one better and fit the entire local privilege escalation exploit in one line.

 

Quote

 

I raise you and fit entire exploit in one line & tweet 😉 https://t.co/OmUkIQdNcK

— Hacker Fantastic (@hackerfantastic) October 25, 2018

 

Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro  Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

 

Quote

 

USN-3802-1: X.Org X server vulnerability

26 October 2018

xorg-server, xorg-server-hwe-16.04 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

X.Org X server could be made to overwrite files as the administrator.

Software Description

• xorg-server - X.Org X11 server
• xorg-server-hwe-16.04 - X.Org X11 server

Details

Narendra Shinde discovered that the X.Org X server incorrectly handled certain command line parameters when running as root with the legacy wrapper. When certain graphics drivers are being used, a local attacker could possibly use this issue to overwrite arbitrary files and escalate privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

xserver-xorg-core - 2:1.20.1-3ubuntu2.1

Ubuntu 18.04 LTS

xserver-xorg-core - 2:1.19.6-1ubuntu4.2

Ubuntu 16.04 LTS

xserver-xorg-core-hwe-16.04 - 2:1.19.6-1ubuntu4.1~16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

• CVE-2018-14665

 

 

Side note :I Already patched and updated  on Ubuntu Budgie 18.04, sure beats waiting a month for security fixes from a certain OS maker..

 

Source