Calyptix Security Advisory CX-2007-03 Xfce Insecure Temporary File Creation Vulnerability Date: 02/12/2007 http://www.calyptix.com/ http://labs.calyptix.com/advisories/CX-2007-03.php http://labs.calyptix.com/advisories/CX-2007-03.txt [ Overview ] The Xfce desktop environment, versions 4.2.4 and 4.4.0 (and possibly earlier versions), are vulnerable to a symbolic link attack due to the insecure creation and use of a temporary file. The vulnerability is in the scripts/xinitrc script within the xfce-utils package. The vulnerability allows a local attacker to cause a root-owned file to be modified when the root user starts Xfce. [ Risk ] Calyptix Security has classified this vulnerability as 'Low Risk'. [ Patch / Fix / Workaround ] The Xfce development team has released a fix for this vulnerability in the Xfce Subversion repository. http://svn.xfce.org/svn/xfce/xfce-utils/branches/xfce_4_2/scripts/xinitrc http://svn.xfce.org/svn/xfce/xfce-utils/branches/xfce_4_4/scripts/xinitrc http://svn.xfce.org/svn/xfce/xfce-utils/trunk/scripts/xinitrc [ Analysis ] The xinitrc script in Xfce creates a temporary file with a predictable filename in the /tmp directory, which is almost always world-writable on UNIX-based systems. A local attacker can create a large number of symbolic links pointing at a root-owned file. To exploit the vulnerability, the filenames of those symbolic links should be the predictable filenames that the xinitrc script creates. ==BEGIN CODE== # create temp file for X resources XRESOURCES="/tmp/xrdb-$UID.$$" ... cat >> $XRESOURCES << EOF Xft.dpi: 96 Xft.hinting: 1 Xft.hintstyle: hintmedium ==END CODE== By creating symbolic links called /tmp/xrdb-0.{2-32768} pointing at a root-owned file, the attacker can cause the root-owned file to be modified when the root user starts Xfce. [ Disclosure Timeline ] 1/30/2007 Vulnerability discovered 1/30/2007 Xfce development team contacted 2/01/2007 Fix released in Xfce Subversion repository 2/12/2007 Calyptix Security informed of fix 2/12/2007 Public disclosure [ Credit ] Lawrence Teo of Calyptix Security discovered and confirmed that this vulnerability can be exploited. [ Contact ] You can contact Calyptix Security about this vulnerability by e-mailing advisories2007@calyptix.com [ About Calyptix Security ] Calyptix Security, founded in 2002, is located in Charlotte, North Carolina. Our Unified Threat Management (UTM) product, the AccessEnforcer (TM), is used by customers to protect their network infrastructure from security threats and is the only security appliance in the market that deploys DyVax (TM), our patent-pending signatureless inspection engine. The AccessEnforcer provides our customers all available gateway security features, including VPN, Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and IM management, for a single price with no add-ons and no hidden costs. [ Legal Notice ] Calyptix Security grants each recipient of this advisory permission to redistribute this advisory in electronic or other written medium without modification. This advisory may not be modified without the express written consent of Calyptix Security. If the recipient wishes to modify the advisory in any manner or redistribute the contents of this advisory other than by way of an exact written or electronic transmission hereof, please email advisories2007@calyptix.com for such permission. The information in this advisory is believe to be accurate at the time of publication based upon currently available information. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to any information in this advisory. None of the author, the publisher nor Calyptix Security (nor any of their employees, affiliates or agents) accepts or has any liability for any direct, indirect or consequential loss or damage arising from the use of, or reliance on, any information contained in this advisory.