Calyptix Security Advisory CX-2007-03
Xfce Insecure Temporary File Creation Vulnerability
Date: 02/12/2007
http://www.calyptix.com/
http://labs.calyptix.com/advisories/CX-2007-03.php
http://labs.calyptix.com/advisories/CX-2007-03.txt
[ Overview ]
The Xfce desktop environment, versions 4.2.4 and 4.4.0 (and possibly
earlier versions), are vulnerable to a symbolic link attack due to
the insecure creation and use of a temporary file. The vulnerability
is in the scripts/xinitrc script within the xfce-utils package. The
vulnerability allows a local attacker to cause a root-owned file to
be modified when the root user starts Xfce.
[ Risk ]
Calyptix Security has classified this vulnerability as 'Low Risk'.
[ Patch / Fix / Workaround ]
The Xfce development team has released a fix for this vulnerability in
the Xfce Subversion repository.
http://svn.xfce.org/svn/xfce/xfce-utils/branches/xfce_4_2/scripts/xinitrc
http://svn.xfce.org/svn/xfce/xfce-utils/branches/xfce_4_4/scripts/xinitrc
http://svn.xfce.org/svn/xfce/xfce-utils/trunk/scripts/xinitrc
[ Analysis ]
The xinitrc script in Xfce creates a temporary file with a
predictable filename in the /tmp directory, which is almost always
world-writable on UNIX-based systems. A local attacker can create a
large number of symbolic links pointing at a root-owned file. To
exploit the vulnerability, the filenames of those symbolic links
should be the predictable filenames that the xinitrc script creates.
# create temp file for X resources
XRESOURCES="/tmp/xrdb-$UID.$$"
...
cat >> $XRESOURCES << EOF
Xft.dpi: 96
Xft.hinting: 1
Xft.hintstyle: hintmedium
By creating symbolic links called /tmp/xrdb-0.{2-32768} pointing at
a root-owned file, the attacker can cause the root-owned file to be
modified when the root user starts Xfce.
[ Disclosure Timeline ]
1/30/2007 Vulnerability discovered
1/30/2007 Xfce development team contacted
2/01/2007 Fix released in Xfce Subversion repository
2/12/2007 Calyptix Security informed of fix
2/12/2007 Public disclosure
[ Credit ]
Lawrence Teo of Calyptix Security discovered and confirmed that this
vulnerability can be exploited.
[ Contact ]
You can contact Calyptix Security about this vulnerability by e-mailing
advisories2007@calyptix.com
[ About Calyptix Security ]
Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina. Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden
costs.
[ Legal Notice ]
Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification. This advisory may not be modified without the
express written consent of Calyptix Security. If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email
advisories2007@calyptix.com for such permission.
The information in this advisory is believe to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to any information
in this advisory. None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.
|
calyptix.com