#75 Privilege escalation through DISPLAY handling CVE-2008-1142

closed-accepted
None
8
2008-05-10
2008-05-04
hoffie
No

Discussion

  • hoffie

    hoffie - 2008-05-04
    • priority: 5 --> 8
     
  • Oezguer Kesim

    Oezguer Kesim - 2008-05-10
    • status: open --> open-wont-fix
     
  • Oezguer Kesim

    Oezguer Kesim - 2008-05-10

    Logged In: YES
    user_id=25457
    Originator: NO

    Maybe I got it wrong, but I don't think that this is a security problem generated by rxvt, it is rather a configuration/protection/hardening problem of the X11 server itself.

    How does the "security risk" change after applying this patch? Not at all, because the very same user actually controls the environment and might set DISPLAY=":0" manually, so there would be no difference to the former case.

    It is almost like blaming ssh to try to login to a remote site using your local account name for the remote site (per default, as convenience) and realizing that in some cases the remote account uses an empty password. The problem would not be solved by changing the ssh-client to not use the local username...

    So the real issue here is taking security measures to protect the X11 Server from being hijacked, not rxvt trying to open ":0" in first place which is pure convenience.

     
  • hoffie

    hoffie - 2008-05-10

    Logged In: YES
    user_id=1335530
    Originator: YES

    The security risk is that you can accidently launch a terminal on an X server which belongs to another user and as such giving this other user a full shell which runs with your permissions.
    Setting DISPLAY=:0 leads to the same result, but the difference is that you have to do this explicitly.

    The X server cannot do anything about this -- it cannot tell whether it was your intention to spawn a shell on a foreign X server or pure accident.

     
  • Oezguer Kesim

    Oezguer Kesim - 2008-05-10
    • status: open-wont-fix --> open-accepted
     
  • Oezguer Kesim

    Oezguer Kesim - 2008-05-10

    Logged In: YES
    user_id=25457
    Originator: NO

    OK, now I got it. It's a trivial change to rxvt...

     
  • Oezguer Kesim

    Oezguer Kesim - 2008-05-10
    • assigned_to: nobody --> oec
    • status: open-accepted --> closed-accepted
     
  • Oezguer Kesim

    Oezguer Kesim - 2008-05-10

    Logged In: YES
    user_id=25457
    Originator: NO

    It's now patched in the main trunk and other branches. Will take some time to deploy a new version, as I first need to check the other bugs...

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks