Linux systems vulnerable to privilege escalation and file overwrite exploit in X.Org server

An "incorrect command-line parameter validation" vulnerability in X.Org server makes it possible to escalate privileges as well as overwrite files. The problem affects Linux and BSD distributions using the open source X Window System implementation.

The vulnerability has been present for a couple of years, but has been brought to light by security researcher Narendra Shinde. Unpatched system can be exploited by non-root users if X server is running with elevated privileges.

See also:

• Linux-friendly company System76 shares more open source Thelio computer details
• System76 releases Ubuntu-based Pop!_OS 18.10 Linux distribution
• Linus Torvalds is back in charge as Linux kernel 4.19 is released

A security advisory posted to the X.Org mailing list explains that: "Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user)".

The vulnerability has been assigned CVE-2018-14665, and Bleeping Computer -- saying it is "trivial to exploit" -- explains how it works:

Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option.

Although the exploit is not a major security issue in itself, in combination with other exploits it could prove highly problematic. The X.Org mailing list post says:

The commit https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which first appeared in xorg-server 1.19.0 introduced a regression in the security checks performed for potentially dangerous options, enabling the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege elevation since it's possible to control some part of the written log file, for example using the -fp option to set the font search path (which is logged) and thus inject a line that will be considered as valid by some systems.

A patch was added to the xserver repository on this week, but X.Org adds:

If a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary.  Note that this can cause issues if people are starting the X window system using the 'startx', 'xinit' commands or variations thereof.

X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid.