oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file

From: Matthias Gerstner <mgerstner () suse de>
Date: Wed, 4 Nov 2020 11:36:13 +0100
Hello list,

a local privilege escalation has been discovered in the sddm display
manager [1].

sddm passes the -auth and -displayfd command line arguments when
starting the Xserver. It then waits for the display number to be
received from the Xserver via the `displayfd`, before the Xauthority
file specified via the `-auth` parameter is actually written. This
results in a race condition, creating a time window in which no valid
Xauthority file is existing while the Xserver is already running.

The X.Org server, when encountering a non-existing, empty or
corrupt/incomplete Xauthority file, will grant any connecting client
access to the Xorg display [2]. A local unprivileged attacker can thus
create an unauthorized connection to the Xserver and grab e.g. keyboard
input events from other legitimate users accessing the Xserver.

A simple reproducer works like this:

```
# run this from an unpriliged account before sddm is started to exploit
# the race condition and kill the X server
inotifywait /tmp/.X11-unix; while ! xkill; do :; done
```

The security issue was discovered by our SUSE sddm package maintainer
Fabian Vogt. The issue is included in sddm since version 0.12.0 and
was recently fixed in a new upstream release 0.19.0. The upstream commit
fixing this issue is found in [3]. The SUSE bugzilla bug tracking this
issue is found in [4].

[1]: https://github.com/sddm/sddm
[2]: https://github.com/freedesktop/xorg-xserver/blob/96d19e898acb56d8fc6e6febbc6498f67cdd66a0/os/auth.c#L190
[3]: https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222
[4]: https://bugzilla.suse.com/show_bug.cgi?id=1177201

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: