oss-sec mailing list archives
Re: The importance of mutual authentication: Local Privilege Escalation in X11
From: "Vladimir D. Seleznev" <vseleznv () cs msu ru>
Date: Tue, 10 Nov 2020 19:43:47 +0300
On Mon, Nov 09, 2020 at 11:00:50AM -0500, Demi M. Obenour wrote:
[...skip...] ### Placing the X socket in a secure directory X11 is usually used with AF_UNIX sockets. In this case, performing the attack requires that either the directory containing the X socket be writable by an attacker, or that the abstract namespace is in use. If neither condition is met, the attack is thwarted. In this case, the server is implicitly authenticated by being able to write to a location on the file system. On systems other than macOS, placing the X socket in a non-default directory requires changes to X. On Linux, this also requires that abstract sockets be disabled in the X client libraries. A user’s home directory is a safe location on virtually all systems. /run/user/$UID is a good choice when it is secure and available, such as on systemd-based Linux distributions. /tmp/.X11-unix can be made safer by ensuring that it is created before any untrusted code runs and ensuring that untrusted code cannot write to it. For example, it could be owned by root and have 0755 permissions. For this to be effective, untrusted code must not be allowed to start if creating /tmp/.X11-unix fails; this can be enforced by dropping into single-user mode in this case. Furthermore, if the standard location for lock files (/tmp/.X*-lock) is used, there is still a potential denial of service, as anyone can create a lock file and prevent the legitimate server from starting.
This contravenes the ability to run X11 client from another user. The idea is that X11 server allows any clients with right credentials regardless of theirs processes UID or GID to connect to the server.
I recommend using /run/user/$UID when it exists, is owned by the user, and has 0700 permissions. Otherwise, a user’s home directory (or subfolder thereof) is an acceptable fallback. I do not recommend continuing to use /tmp/.X11-unix, due to the risks outlined above. ### Explicit checking of peer credentials When `AF_UNIX` sockets are used (the most common case), the client can check the server’s credentials using `SO_PEERCRED`, `SCM_CREDENTIALS`, or another platform-specific mechanism. The X.org server already has the code to check a peer’s credentials, and can be configured to use this instead of `~/.Xauthority`. The set of trusted user IDs is system-dependent. Generally, it should include the superuser and the UID of the X client, but on some systems (such as OpenBSD), the X server runs as a dedicated non-privileged user, which may also need to be included in the trusted UID list.
-- WBR, Vladimir D. Seleznev
Current thread:
- The importance of mutual authentication: Local Privilege Escalation in X11 Demi M. Obenour (Nov 09)
- Re: The importance of mutual authentication: Local Privilege Escalation in X11 Vladimir D. Seleznev (Nov 10)
- Re: The importance of mutual authentication: Local Privilege Escalation in X11 Demi M. Obenour (Nov 10)
- Re: The importance of mutual authentication: Local Privilege Escalation in X11 Vladimir D. Seleznev (Nov 10)
- Re: The importance of mutual authentication: Local Privilege Escalation in X11 Demi M. Obenour (Nov 10)
- Re: The importance of mutual authentication: Local Privilege Escalation in X11 Alan Coopersmith (Nov 10)
- Re: The importance of mutual authentication: Local Privilege Escalation in X11 Demi M. Obenour (Nov 10)
- Re: The importance of mutual authentication: Local Privilege Escalation in X11 Vladimir D. Seleznev (Nov 10)