Skip to content
PATCH NOW

Easy-to-exploit privilege escalation bug bites OpenBSD and other big name OSes

The 23-month-old flaw can be exploited by untrusted with just three commands.

Dan Goodin | 104
Story text

Several big-name Linux and BSD operating systems are vulnerable to an exploit that gives untrusted users powerful root privileges. The critical flaw in the X.org server—the open-source implementation of the X11 system that helps manage graphics displays—affects OpenBSD, widely considered to be among the most secure OSes. It also impacts some versions of the Red Hat, Ubuntu, Debian, and CentOS distributions of Linux.

An advisory X.org developers published Thursday disclosed the 23-month-old bug that, depending on how OS developers configure it, lets hackers or untrusted users elevate very limited system rights to unfettered root. The vulnerability, which is active when OSes run X.org in privileged (setuid) mode, allows files to be overwritten using the -logfile and -modulepath parameters. It also makes it trivial for low-privilege users to escalate system rights. A variety of nuances are leading to widely divergent assessments of the bug's severity.

“Depending on whom you talk to, the reported severity will vary greatly,” Louis Dion-Marcil, a security researcher at GoSecure, told Ars. “I think most people will tell you it is very severe, and I would agree with them. The bug allows you to write arbitrary data to arbitrary files, which might seem trivial and not that dangerous, but it effectively allows regular, unprivileged users to elevate their privileges to the one of complete administrator of the system.”

Got root

As Matthew Hickey, cofounder of security firm Hacker House, demonstrated Thursday, CVE-2018-14665, as the bug is indexed, can be triggered from a remote SSH session on what at the time was a fully patched OpenBSD machine. While the attacker need not use a local console, the exploit does require an an already-created account on the vulnerable OpenBSD system. In Hickey’s example, the exploit elevates the account “developer” to “root” on a default version of OpenBSD 6.4-stable.

The three required commands, Hickey said, are:

cd /etc; Xorg -fp
"Root::16431:0:99999:7:::" -logfile
shadow  :1;su

“Overwrite shadow (or any) file on most Linux, get root privileges,” the researcher added. “*BSD and any other Xorg desktop also affected.”

Security researcher Brendan Coles confirmed that the exploit works on CentOS version 7.4:

Other security practitioners remained less convinced of the severity of CVE-2018-14665. With the exception of OpenBSD, most other OSes running a vulnerable version of X.org require attackers to have an active console session. That means attackers must be using the physically attached keyboard and mouse, not a remote session. The requirement “is a huge limitation,” Narendra Shinde, the security researcher credited with discovering the vulnerability, told Ars. Shinde has shared technical details about the vulnerability here.

Advisories or patches from OpenBSD, Red Hat, Debian, and Ubuntu are here, here, here, and here. People should check with developers of other Linux and BSD distributions to get their status. In the event that a patch isn’t available or can’t immediately be installed, the vulnerability can be mitigated by invoking chmod 755 on the installed X.org binary to remove the setuid privilege. X.org developers have cautioned, however, that this workaround can cause problems if the X window system starts using the “startx,” “xinit,” or similar commands.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
104 Comments