Vulnerability would allow privilege escalation and malicious code execution
A digital forensics investigator discovered a critical vulnerability in the X.Org server package that affects OpenBSD and most Linux distributions, including Debian, Ubuntu, CentOS, Red Hat, and Fedora.
X.Org X Server is a popular X11 system open source implementation that provides a graphical environment for a wider range of hardware platforms and operating systems. According to reports of specialists in digital forensics from the International Institute of Cyber Security, this serves as an intermediary between the applications between clients and users to manage the graphical screens.
According to a publication by engineer Narendra Shinde, Xorg Server does not correctly handle and validate arguments for at least two command-line parameters, allowing a user with limited privileges to execute malicious code and overwrite any file, including files that are managed by users with high privileges on the system.
The vulnerability, tracked with the codename CVE-2018-14665, was introduced in the X.Org Server 1.19.0 package and remained undetected for nearly two years, and could have been exploited by a local attacker in the terminal or by SSH to elevate their privileges in the system selected for the attack.
According to the report published by Shinde, the two vulnerable parameters in question are:
- modulepath: To set a directory path to search for X Server modules
- logfile: To set up a new log file for the Xorg server, instead of using the default log file found in/var/log/Xorg.n.log on most platforms
In a security notice, Xorg mentioned: “When the X server is run with elevated privileges, the modulepath argument can be used to specify an unsafe path to the modules to be loaded on the X server, allowing you to execute unprivileged code in the privileged process”.
On the other hand, a cybersecurity and digital forensics firm mentioned: “An incorrect permission check for the modulepath and logfile options when the Xorg X server is launched allows unprivileged users the ability to log on to the system at through the physical console to scale their privileges and execute arbitrary code with root privileges”.
Security investigator Matthew Hickey shared by Twitter a proof of concept of exploitation code of this vulnerability, mentioning that “an attacker can literally take care of the affected systems with 3 commands or less”.
The X.Org Foundation has now launched the 1.20.3 version of the X.Org server with security patches to fix the problem.
Popular Linux distributions like OpenBSD, Debian, Ubuntu, CentOS, Red Hat and Fedora have posted the corresponding alerts confirming the presence of the problem and mentioning that they are already working on the release of the update patches for each distribution.