Security

Select Xorg X11 Server Versions Are Vulnerable To Privilege Escalation Exploits, OpenBSD and CentOS Affected

Xorg is a very famous X window system used in Linux. It’s a graphical user interface that uses the X11 standard, which in turn is a communication protocol.  Xorg was forked from the XFree86 project, which is not in active development anymore.

Privilege Escalation Exploit

All Xorg X11 server versions from 1.19.0 up to 1.20.3 are vulnerable to permission check flaws which exist for -modulepath and -logfile options. This gives unprivileged users with the ability to start a server, to run arbitrary code with elevated privileges.

The researchers found out, running a CRON script with the loaded exploit makes SELinux enforce it. A crontab.old backup file is created, which is essentially replaced by the Metasploit module with a new file with commands and instructions for the cron daemon to execute. Failed exploitation might result in a corrupted crontab.  Xorg also needs to have SUID permissions for the exploit to work, which you can verify from the code snippet below.

# linux checks
uname = cmd_exec “uname”
if uname =~ /linux/i
vprint_status “Running additional check for Linux”
if datastore[‘ConsoleLock’] user = cmd_exec “id -un”
unless exist? “/var/run/console/#{user}”
vprint_error “No console lock for #{user}”
return CheckCode::Safe
end
vprint_good “Console lock for #{user}”
end
if selinux_installed?
if selinux_enforcing?
vprint_error ‘Selinux is enforcing’
return CheckCode::Safe
end
end
vprint_good “Selinux is not an issue”
end

# suid program check
xorg_path = cmd_exec “command -v Xorg”
unless xorg_path.include?(“Xorg”)
vprint_error “Could not find Xorg executable”
return CheckCode::Safe
end
vprint_good “Xorg path found at #{xorg_path}”
unless setuid? xorg_path
vprint_error “Xorg binary #{xorg_path} is not SUID”
return CheckCode::Safe
end
vprint_good “Xorg binary #{xorg_path} is SUID”

Testing Methodology

This exploit was worked on by four researchers –

  • Narendra Shinde – Discovery and exploit
  • Raptor-0xdea – Modified exploit for cron
  • Aaron Ringo –  Metasploit module
  • Brendan Coles – Metasploit module

This was tested on OpenBSD 6.3, 6.4, and CentOS 7 (1708). According to the notes on Packetstorm, CentOS with a default install will need console authentication for the user’s sessions.

This is a serious vulnerability given the scale of Xorg’s use. Although the exploit does need some presets to work, which might not be present in a professional environment.

Close