Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Nov 2020 12:51:27 -0500
From: "Demi M. Obenour" <demiobenour@...il.com>
To: "Vladimir D. Seleznev" <vseleznv@...msu.ru>,
 oss-security@...ts.openwall.com
Subject: Re: The importance of mutual authentication: Local
 Privilege Escalation in X11

On 11/10/20 11:43 AM, Vladimir D. Seleznev wrote:
> On Mon, Nov 09, 2020 at 11:00:50AM -0500, Demi M. Obenour wrote:
>> [...skip...]
>> ### Placing the X socket in a secure directory
>>
>> X11 is usually used with AF_UNIX sockets.  In this case, performing
>> the attack requires that either the directory containing the X socket
>> be writable by an attacker, or that the abstract namespace is in use.
>> If neither condition is met, the attack is thwarted.  In this case, the
>> server is implicitly authenticated by being able to write to a location
>> on the file system.  On systems other than macOS, placing the X socket
>> in a non-default directory requires changes to X.  On Linux, this also
>> requires that abstract sockets be disabled in the X client libraries.
>>
>> A user’s home directory is a safe location on virtually all systems.
>> /run/user/$UID is a good choice when it is secure and available,
>> such as on systemd-based Linux distributions.  /tmp/.X11-unix can
>> be made safer by ensuring that it is created before any untrusted
>> code runs and ensuring that untrusted code cannot write to it.
>> For example, it could be owned by root and have 0755 permissions.
>> For this to be effective, untrusted code must not be allowed to start
>> if creating /tmp/.X11-unix fails; this can be enforced by dropping
>> into single-user mode in this case.  Furthermore, if the standard
>> location for lock files (/tmp/.X*-lock) is used, there is still a
>> potential denial of service, as anyone can create a lock file and
>> prevent the legitimate server from starting.
> 
> This contravenes the ability to run X11 client from another user. The
> idea is that X11 server allows any clients with right credentials
> regardless of theirs processes UID or GID to connect to the server.

Indeed it does, and I mention cryptographic authentication mechanisms
below.  Instead of /tmp, /run/X11 would work just as well.  It is
the mutual authentication that matters.

Sincerely,

Demi

Download attachment "OpenPGP_0xB288B55FFF9C22C1.asc" of type "application/pgp-keys" (3987 bytes)

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.