X wrapper: Permission bypass (CVE-2011-4613)

Sat, 17 Dec 2011 15:28:42 +0100
Tags: security

While I was developing the exploit against CVE-2011-4029, I was a bit frustrated because on Debian systems, the attacker needed to launch it from a real TTY. This was because the Debian's X wrapper (/usr/bin/X) does not allow a non-root user, logged from a remote session, to start the X server.

I finally found a fun trick to bypass this security restriction. A full description is available in the debian bug report (vulnerable package is xserver-xorg version <=1:7.5+8).

Here is a trivial PoC that allows any user to launch the X server:

The exploit against CVE-2011-4029 has been updated in consequence. It now can launched from anywhere, and not just from a tty.

Other references: