Fwd: The importance of mutual authentication: Local Privilege Escalation in X11

Sat Nov 21 08:38:47 UTC 2020

On 2020-11-18 20:29, Demi M. Obenour wrote:
> On 11/16/20 1:30 AM, Keith Packard wrote:
>> Alan Coopersmith <alan.coopersmith at oracle.com> writes:
>>
>>> Since this is now public, we can open up the discussion of how to fix it in
>>> public as well, and hope we can make more progress than the security list
>>> did during the embargo phase.
>>
>> I've got a proposed fix for this issue in two merge requests, one for
>> xcb and the other for the X server:
>>
>>          https://gitlab.freedesktop.org/xorg/lib/libxcb/-/merge_requests/10
>>
>>          https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/546
>>
>> These two changes enables code used on Mac OS X for all other platforms.
>> This code allows the X listen socket to be placed anywhere in the file
>> system. Systems which currently place that in /tmp are vulnerable to the
>> bug reported above. Placing this listen socket in a protected location
>> should prevent un-privileged applications from spoofing the X server for
>> the user.
>>
>> Patches for ssh will be needed to close the security issue when
>> forwarding X connections through that.
> 
> Do those MRs also prevent clients and servers from using abstract
> sockets?  Those are inherently insecure, so support for them should
> probably just be removed.  Additionally, will libX11 also be updated?
> 
> Sincerely,
> 
> Demi
> 

Hi!
Thank you for working on this!
I'm a bit unsure how this is to be handled on non-Linux systems. 
FreeBSD doesn't have /run/, as suggested as a place for the socket 
somewhere in the thread, for instance.  I'm not sure I understand how 
the socket and related files are created, and their life cycle.  Does 
the X server create them on startup, or are they created some other way?
With the proposed changes above, where will sockets be put, at which 
stage, and with which permissions?

Thank you!
Regards
-- 
Niclas Zeising