![\"X.Org](\"https:\/\/betanews.com\/wp-content\/uploads\/2018\/10\/x-org-logo.jpg\"){kind=logo}
<\/p>\n<\/p>\n
An “incorrect command-line parameter validation” vulnerability in X.Org server makes it possible to escalate privileges as well as overwrite files. The problem affects Linux and BSD distributions using the open source X Window System implementation.<\/p>\n
The vulnerability has been present for a couple of years, but has been brought to light by security researcher Narendra Shinde. Unpatched system can be exploited by non-root users if X server is running with elevated privileges.<\/p>\n
See also:<\/p>\n
A security advisory<\/a> posted to the X.Org mailing list explains that: “Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and\/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user)”.<\/p>\n The vulnerability has been assigned CVE-2018-14665, and Bleeping Computer<\/a> — saying it is “trivial to exploit” — explains how it works:<\/p>\n Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option.<\/p><\/blockquote>\n Although the exploit is not a major security issue in itself, in combination with other exploits it could prove highly problematic. The X.Org mailing list post says:<\/p>\n The commit https:\/\/gitlab.freedesktop.org\/xorg\/xserver\/commit\/032b1d79b7<\/a> which first appeared in xorg-server 1.19.0 introduced a regression in the security checks performed for potentially dangerous options, enabling the vulnerabilities listed above.<\/p>\n Overwriting \/etc\/shadow with -logfile can also lead to privilege elevation since it’s possible to control some part of the written log file, for example using the -fp option to set the font search path (which is logged) and thus inject a line that will be considered as valid by some systems.<\/p><\/blockquote>\n A patch<\/a> was added to the xserver repository on this week, but X.Org adds:<\/p>\n If a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary. Note that this can cause issues if people are starting the X window system using the ‘startx’, ‘xinit’ commands or variations thereof.<\/p>\n X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid.<\/p><\/blockquote>\n