Fwd: The importance of mutual authentication: Local Privilege Escalation in X11

Demi M. Obenour demiobenour at gmail.com
Sat Nov 21 18:24:47 UTC 2020 

On 11/21/20 3:38 AM, Niclas Zeising wrote:
> On 2020-11-18 20:29, Demi M. Obenour wrote:
>> On 11/16/20 1:30 AM, Keith Packard wrote:
>>> Alan Coopersmith <alan.coopersmith at oracle.com> writes:
>>>
>>>> Since this is now public, we can open up the discussion of how to fix it in
>>>> public as well, and hope we can make more progress than the security list
>>>> did during the embargo phase.
>>>
>>> I've got a proposed fix for this issue in two merge requests, one for
>>> xcb and the other for the X server:
>>>
>>>          https://gitlab.freedesktop.org/xorg/lib/libxcb/-/merge_requests/10
>>>
>>>          https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/546
>>>
>>> These two changes enables code used on Mac OS X for all other platforms.
>>> This code allows the X listen socket to be placed anywhere in the file
>>> system. Systems which currently place that in /tmp are vulnerable to the
>>> bug reported above. Placing this listen socket in a protected location
>>> should prevent un-privileged applications from spoofing the X server for
>>> the user.
>>>
>>> Patches for ssh will be needed to close the security issue when
>>> forwarding X connections through that.
>>
>> Do those MRs also prevent clients and servers from using abstract
>> sockets?  Those are inherently insecure, so support for them should
>> probably just be removed.  Additionally, will libX11 also be updated?
>>
>> Sincerely,
>>
>> Demi
>>
> 
> Hi!
> Thank you for working on this!
> I'm a bit unsure how this is to be handled on non-Linux systems. FreeBSD doesn't have /run/, as suggested as a place for the socket somewhere in the thread, for instance.  I'm not sure I understand how the socket and related files are created, and their life cycle.  Does the X server create them on startup, or are they created some other way?
> With the proposed changes above, where will sockets be put, at which stage, and with which permissions?

That’s up to the display manager.  I strongly recommend that
other UNIX-like OSs implement XDG_RUNTIME_DIR, for security reasons.
That said, in the absence of such a directory, sockets can be put in
a subdirectory of the user’s home directory.

XDG_RUNTIME_DIR can be implemented without the need for systemd
or similar.  For instance, one could have a setuid root binary that
creates a directory named /var/run/user/$UID and chowns it to the
invoking user ID.  One could also implement a daemon that does the
same task.

> Thank you!

You’re welcome!

> Regards
> -- 
> Niclas Zeising

Sincerely,

Demi Obenour
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 3986 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20201121/c9dba596/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.x.org/archives/xorg-devel/attachments/20201121/c9dba596/attachment.sig>

More information about the xorg-devel mailing list