HN Theater @HNTheaterMonth

⬐ _nalply

The exploit is overwriting /etc/shadow with the log of Xorg. If you pass the right string somehow you overwrite the root password. The trick is setting the font path and the font path appears in the log. Of course this fills /etc/shadow with a lot of bogus data, but one line in the log which describes the root password is enough. Xorg can overwrite /etc/shadow when it is setuid root.

Attention: don't attempt it on a system you need. The exploit is destroying all user's passwords. Or at least make a copy of /etc/shadow before trying.

⬐ bruxis

Aside form a manual backup, it appears that Xorg will create an `/etc/shadow.old` file (at least on the system I tested) that can be restored once root access is gained.

⬐ smsm42

> The exploit is overwriting /etc/shadow with the log of Xorg.

That took me couple of seconds to read and I got virtually the same information as the 11 minute video. I think there's no question about which way of doing things is more efficient.

⬐ DyslexicAtheist

# get root:

   cd /etc; Xorg -fp "root::<passwd>::" -logfile shadow :1;su

⬐ NullPrefix

xorg-server doesn't need suid useflag these days anymore, does it?

⬐ megous

% ls -l /bin/Xorg -rwxr-xr-x 1 root root 271 Oct 25 18:42 /bin/Xorg

⬐ caf

That 271 byte file is just a shell script that execs either Xorg.wrap or Xorg from the X basedir (eg /usr/lib/xorg/). One of those target files is usually setuid.

If you have Xorg.wrap, it will be the setuid file and it is usually configured to drop root before executing the real Xorg if root isn't needed (eg. KMS is available).

⬐ acd

The Xorg process runs as the root user unless you are using Wayland.

innovative way of using X11.

⬐ dan1234

How many linux servers have Xorg installed? Certainly none of mine, though I mainly work with web & db servers.

⬐ k_sze

Some people install Xorg on their servers because they need to render stuff (e.g. using OpenGL or Vulkan).

⬐ gdamjan1

that's not needed at all, unless you have legacy applications.

you can open a dri render device node, and use it directly

⬐ pastage

Lots of RHEL servers do, but I would guess that selinux stops this exploit, I see no reason for X to have write permission in /etc.

⬐ stutonk

Already been patched in any case.

https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885...

⬐ gizmo686

Redhat ships with a targeted policy. Most of the non-network programs are put in a very permissive domain to avoid breakage.

I just checked the CentOS policy[0] (not at work and don't have easy access to the Redhat repos).

It appears that xserver_t does have write access to both etc_t and shadow_t [1].

More specifically, xserver_t is part of the selinux_unconfined_type attribute, which means that it can do pretty much anything. (Even more specifically, it is part of the files_unconfined_type attribute, which gives it write permissions to everything in file_type):

  > sesearch --allow -s xserver_t -t shadow_t -c file policy.31
  allow files_unconfined_type file_type:file execmod; [ selinuxuser_execmod ]:True
  allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };

[0] https://centos.pkgs.org/7/centos-updates-x86_64/selinux-poli...

[1] Because of its sensitive nature, /etc/shadow has its own SELinux label

⬐ EugeneOZ

Why video? It's not about fashion or architecture, please people use text.

⬐ octosphere

Some people (like me) are visual learners / auditory learners and Computerphile caters to that niche of learners. This is why I prefer videos/audio over tangible books that you can hold. It is also common to see me putting blogposts into text-to-speech programs and then I listen to them at night or on the train.

⬐ copperx

Sure, there are accessibility issues for people like you, but the density of text cannot be overstated. Imagine transformig a textbook with all of its details into videos with explanations at the same level of detail. It's a gargantuan task and the playtime of such content would be in the order of years, not hours.

⬐ EugeneOZ

Well.. I knew about visual learners, I didn't know how strong is this effect. At least I learned today :) Sorry.

⬐ a_bonobo

Both of you may be interested in this research from last year:

No evidence to back idea of learning styles

https://www.theguardian.com/education/2017/mar/12/no-evidenc...

⬐ EugeneOZ

It's not research, it's just a manifest.

⬐ octosphere

We are naturally inclined to have certain biases towards different learning styles. It's really a psychology issue. What bothers me about these studies that claim we should 'work harder' on our weaknesses (i.e visual learners should read more books/text) - is that we should also build on strength.

When you bolster one learning style and neglect the other, but learn more in the process of the preferred learning style, then why not see it to the end, and understand / digest the knowledge gained?

I guess it is about balance. If I am a pure visual (or auditory) learner, then surely I would have learned that books/text have their place. I imagine that the greatest learners out there use all the learning styles but still have a bias towards their learning style. How pronounced that bias is, is still unknown.

⬐ tyingq

Of course, no study is needed to confirm that people have preferences...regardless of outcome.

⬐ Sphax

Computerphile is a YouTube channel, of course they're going to make a video.

⬐ nubb

It would have been nice for a writeup to have been included. Everyone wants to make a buck off YouTube hits.

⬐ ktm5j

It's a Youtube series, what do you expect??

Go find your own article if it bothers you.

⬐ tgsovlerkhgsel

I suspect it's either easier to a) monetize b) get a permanent audience (via YouTube), or at least perceived as such.

⬐ dan1234

I haven’t seen a proper writeup, just news and bug reports.

https://www.theregister.co.uk/2018/10/25/x_org_server_vulner...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1466...

https://lists.x.org/archives/xorg-announce/2018-October/0029...

⬐ EugeneOZ

thank you!

⬐ molsson

Looks like it was patched in Ubuntu 18.04 just two weeks ago, see "apt changelog xserver-xorg-core":

xorg-server (2:1.19.6-1ubuntu4.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation and file overwrite
    - debian/patches/CVE-2018-14665.patch: disable -logfile and -modulepath
      when running with elevated privileges in
      hw/xfree86/common/xf86Init.c.
    - CVE-2018-14665

 -- Marc Deslauriers <[email protected]>  Thu, 25 Oct 2018 11:18:32 -0400

⬐ _nalply

Xorg might not be the only exploitable software. Here the approach to search for other exploits:

1. Is the software setuid-root?

2. Does the software stay as root?

3. Can you make it write a user description line like as in /etc/shadow?

4. Can you direct it to write to /etc/shadow?

An example: Xorg is setuid-root and stays as root. Pass it the root's description line as a (bogus) font path and it will write an error message. Redirect the error message to /etc/shadow and your exploit is finished.

I am afraid that other setuid-root programs could be exploitable.

setuid-root is extremely dangerous.

⬐ molsson

find other setuid binaries on your system using: find / -user root -perm -4000 -print 2>&1 | grep -v "Permission denied"

⬐ netsec_burn

Wouldn't it be far safer to use cron? Or authorized_keys? Why passwd?

⬐ MayeulC

I am not sure I quite got your question, and had a very succinct look at the video, but passwd is being used here as a way to check whether the user has root access.

It is important to note that this exploit is an old one, has been known for a while, and is one of the things being addressed by switching to Wayland.

That said, a lot of work has been done towards running X11 rootless (Arch for instance [1]). That should be possible as long as you use DRI, as far as I know (which is the case if you use a graphics card less than about ~10-20 years old, depending on the brand).

[1] https://wiki.archlinux.org/index.php/Xorg#General

⬐ megous

One way I got root recently, aside from pivoting on a setuid 0 binary, was calling seteuid(0). The vendor's program manager on the device forgot to setuid(user_id), it only seteuid(user_id). So going back to root was as easy as seteuid(0). The joy of real and effective process user. :)

Other easy way, if you have a way to provide your own filesystem to the device (via SD card for example), is to just put an Ext filesystem on it, and add your own setuid 0 binary there. Device makers sometimes don't know what they're doing, so they don't mount untrusted removable devices with -o nosuid,noexec,nodev ...

That works even if there's no usable setuid 0 binary on the rootfs.

⬐ amelius

Yes, on Unix, cross-filesystem access control is traditionally illdefined, and I'm not surprised this is used to gain unauthorized access.

⬐ megous

It doesn't help my confidence in the world, that this was a PoS terminal device from a self described "Leader in Payment Terminals". But hey, they even read random files on the filesystem from a kernel USB device driver, and they probably got to the market first, so that's what matters.

Thankfully, AFAIK, this particular device is not sold anymore.

⬐ microcolonel

> a self described "Leader in Payment Terminals"

In a marathon, the leader is not so much the healthiest of the bunch.

Also, this is a PoS terminal, if there's any wonder left in you for how they could mess this up so bad, I'm guessing this is the first one you've seen. ;- )

⬐ megous

Yes, the first one. One thing I liked about it though is that the vendor uses uniform ioctl calling convention for pretty much everything they implement in the kernel, so I have modified strace to decode their ioctl payload, and I was able to rewrite most of their library code with my implementation, with the help of traces of their demo app. Now I can drop their complicated and buggy userspace code completely and use my own rootfs.

The kernel is harder, since they also violate GPL and don't provide kernel source code along with their terminal, and neither does their SoC vendor.