Trivial Bug in X.Org Gives Root Permission on Linux

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
xenos
Black ninja
Black ninja
Posts: 40
Joined: 20 Aug 2016, 22:20
Distribution: Porteus
Location: Blackhole

Trivial Bug in X.Org Gives Root Permission on Linux

Post#1 by xenos » 31 Oct 2018, 18:28

https://www.bleepingcomputer.com/news/s ... d-systems/

Porteus affected? and what we could do to fix this and probably more security issues in future?

User avatar
fanthom
Moderator Team
Moderator Team
Posts: 5666
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland
Contact:

Trivial Bug in X.Org Gives Root Permission on Linux

Post#2 by fanthom » 31 Oct 2018, 21:38

You need to upgrade xorg-server to version 1.20.3:
https://bugs.gentoo.org/669588#c0

slackware current has it already:
ftp://ftp.osuosl.org/pub/slackware/slac ... ngeLog.txt
Please add [Solved] to your thread title if the solution was found.

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Trivial Bug in X.Org Gives Root Permission on Linux

Post#3 by donald » 31 Oct 2018, 21:40

Imo, not so critical as it sounds (using porteus), but I could be wrong here.

Prerequisite for the attack is an X.org server running with setuid root.
If this is set for the X server, it can be started as a normal user,
but runs with root privileges.
An attacker also needs console access on the affected computer.
He must either be logged in with a service like SSH or locally on the computer.
With the X.org version 1.20.3 the problems were solved.

Porteus 4.0

Code: Select all

guest@porteus:~$ ls -lh /usr/bin/Xorg
-rwxr-xr-x 1 root root 273 Dec 23  2017
...no s bit set....

btw
It has been present in xorg-server since version 1.19.0
porteus 3.2.2 has Xorg 1.18.3... :)

Post Reply