|
Date: Fri, 14 Nov 1997 02:13:22 +0100 From: Carlo Wood <carlo@RUNAWAY.XS4ALL.NL> To: BUGTRAQ@NETSPACE.ORG Subject: X Security problem (?) Hi, this isn't an exploit - I let others write that ;) (don't have time for that). But five minutes ago I found something that might be abused: On my (RedHat4.2) linux box, I find: /tmp/.X11-unix/X0= A UNIX domain socket of the X server I assume. The permissions are: drwxrwxrwt 3 root root 1024 Nov 14 01:38 /tmp/ drwxrwxrwx 2 root users 1024 Nov 14 01:56 /tmp/.X11-unix/ srwxrwxrwx 1 root users 0 Nov 13 23:09 X0 So, as any user (I did it as 'nobody'), I can do: rm /tmp/.X11-unix/X0 After which X doesn't work anymore (can't open a new terminal). I can also do: cd /tmp/.X11-unix mv X0 Y0 (can't open an xterm) mv Y0 X0 (everything works again). Now I didn't test the following, but doesn't this mean that I can - as nobody - mv X0 Y0; open a new X0 socket and start to accept connections, piping everything to Y0, reading everything people type, like passwords when they use 'su' ? ... Carlo Wood PS This is my first post, so I expect to make a terrible error here somehow ;). If so, I hope the moderator will simply refuse the post. -- carlo@runaway.xs4all.nl, Run @ IRC. ircd development: http://www.xs4all.nl/~carlo17/ircd-dev