Date: Wed, 4 Nov 2020 11:36:13 +0100 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: sddm: CVE-2020-28049: local privilege escalation due to race condition in creation of the Xauthority file Hello list, a local privilege escalation has been discovered in the sddm display manager . sddm passes the -auth and -displayfd command line arguments when starting the Xserver. It then waits for the display number to be received from the Xserver via the `displayfd`, before the Xauthority file specified via the `-auth` parameter is actually written. This results in a race condition, creating a time window in which no valid Xauthority file is existing while the Xserver is already running. The X.Org server, when encountering a non-existing, empty or corrupt/incomplete Xauthority file, will grant any connecting client access to the Xorg display . A local unprivileged attacker can thus create an unauthorized connection to the Xserver and grab e.g. keyboard input events from other legitimate users accessing the Xserver. A simple reproducer works like this: ``` # run this from an unpriliged account before sddm is started to exploit # the race condition and kill the X server inotifywait /tmp/.X11-unix; while ! xkill; do :; done ``` The security issue was discovered by our SUSE sddm package maintainer Fabian Vogt. The issue is included in sddm since version 0.12.0 and was recently fixed in a new upstream release 0.19.0. The upstream commit fixing this issue is found in . The SUSE bugzilla bug tracking this issue is found in . : https://github.com/sddm/sddm : https://github.com/freedesktop/xorg-xserver/blob/96d19e898acb56d8fc6e6febbc6498f67cdd66a0/os/auth.c#L190 : https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222 : https://bugzilla.suse.com/show_bug.cgi?id=1177201 Cheers Matthias -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.