A small change made in a version of the X.org X Server windowing system two years ago introduced a serious security vulnerability that allows anyone with local access to overwrite random files on many Linux systems.
The bug affects several popular distributions, including some versions of Debian, Red Hat, and OpenBSD, and X.org has released a fix for the issue. In order to exploit the vulnerability, an attacker needs to have an active, authenticated session on the target system. But a successful exploit would give the attacker the ability to gain elevated privileges, create, or overwrite arbitrary files anywhere on the system.
“Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user),” the advisory from X.org says.
“The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process. The -logfile argument can be used to overwrite arbitrary files in the file system, due to incorrect checks in the parsing of the option.”
The researcher who discovered the vulnerability reported it to the Red Hat and X.org security teams earlier this month and the bug was disclosed on Thursday. X.org has pushed a commit to its repository that patches the weakness. The vulnerability was introduced into the X Server in version 1.19, the developers said.
X Server is an implementation of the X windowing system, which is used on many Unix and Linux systems. The maintainers of the various affected distributions are releasing their own patched versions to address the problem. Debian has released a fixed version, and Red Hat said that only Red Hat Enterprise Linux 7 was affected. The developers of OpenBSD released a fix for affected versions on Thursday.
“We were made aware bit more than 1 hour before public information went Out. We were in the midst of an early OpenBSD release. If we had known, the OpenBSD 6.4 release could have been held back a week or two, till today. It would have been easy,” Theo de Raadt, the founder of OpenBSD, said in an email to an OpenBSD mailing list on Thursday.