Vigil@nce: Debian, remote start of X
December 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
On Debian, a remote authenticated attacker can start the X server.
– Severity: 1/4
– Creation date: 16/12/2011
IMPACTED PRODUCTS
– Debian Linux
DESCRIPTION OF THE VULNERABILITY
On Debian, the /usr/bin/X program checks if the user is on a
console, before starting Xorg with root privileges.
In order to do so, the onConsole() function of file
debian/local/xserver-wrapper.c checks if stdin is a Character
Device with a Major Number of TY_MAJOR_DEV (4) or
ALT_TTY_MAJOR_DEV (5).
However, /dev/tty and /dev/ptmx have a Major Number of
ALT_TTY_MAJOR_DEV, but they are not consoles. An attacker can
therefore redefine his stdin to these devices, in order to be
allowed to start the X server.
On Debian, a remote authenticated attacker can therefore start the
X server. The remote attacker can then exploit X vulnerabilities
such as VIGILANCE-VUL-11071 (https://vigilance.fr/tree/1/11071).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Debian-remote-start-of-X-11234