A Broader Issue Exposed by CVE-2018-14665

CVE-2018-144665 refers to “An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.” Here’s the link to Matthew Hickey’s tweet that shows the exploit.

I’m not going to rehash what has already been discussed by others regarding the issue. For those that need a background, here’s the security advisory from the X.Org team that shows the commit that introduced the issue and the commit that fixes the issue.

What I want to discuss is the broader issue of input handling. Computerphile shows a video that displays the modification made to the /etc/shadow file (backup to the beginning to get a background of the issue). The exploit works because whatever is reading /etc/shadow to authenticate the user was accepting a file that realistically should have been considered invalid.

I would argue that whatever module processes /etc/shadow should expect the entries in a specific format. In this case, that it be the “passwd” format with no leading and trailing spaces. If you watch the video from Computerphile above, you’ll see that a log entry that resembles a passwd entry for the “root” user with no password exists. This is what allows a user that has gained console access to the server to be able to run “su” without being prompted for the password.

In my opinion, aside from fixing XOrg, all password authentication modules/software/libraries should accept a username to be an exact match without dropping any leading/trailing spaces. In other words “root” and ”    root” should be considered as 2 separate users (lets ignore the confusion this may cause when running things like ls -l for a second) at the very least. If I had my way, all password authentication modules would actually reject the /etc/shadow file that contains log entries from the XOrg software wholesale. However; I realize that doing so may cripple the whole system with no way to recover.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.