ASA-2018-00003 – Xorg: Incorrect command-line parameter validation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00003

Identifier(s)

ASA-2018-00003, CVE-2018-14665

Title

Incorrect command-line parameter validation

Vendor(s)

X.Org Foundation

Product(s)

Xorg

Affected version(s)

Xorg 1.19.0 and later

Fixed version(s)

Xorg 1.20.3

Proof of concept

Yes

Description

Xorg version 1.19.0 and later incorrectly allows the user to specify insecure parameter when running as privileged user. The option -logfile allows the user to overwrite arbitrary files on the system and the option -modulepath allows the user to load arbitrary modules. There’s also a format string vulnerability in the option -logfile. Both options when exploited by an attacker allows privilege escalation and information leakage.

Technical details

Unknown

Credits

Narendra Shinde

Reference(s)

Bug 1637761 – (CVE-2018-14665) CVE-2018-14665 xorg-x11-server: Incorrect permission check in Xorg X server allows for privilege escalation [NEEDINFO]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14665

CVE-2018-14665
https://www.suse.com/security/cve/CVE-2018-14665/

CVE-2018-14665
https://security-tracker.debian.org/tracker/CVE-2018-14665

CVE-2018-14665
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14665.html

OpenBSD Errata: October 25th, 2018 (xserver)
https://marc.info/?l=openbsd-announce&m=154051053918947&w=2

Disable -logfile and -modulepath when running with elevated privileges
https://gitlab.freedesktop.org/xorg/xserver/commit/8a59e3b7dbb30532a7c3769c555e00d7c4301170

xfree86: use the xf86CheckPrivs() helper for modulepath/logfile
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7

X.Org security advisory: October 25, 2018
https://lists.x.org/archives/xorg-announce/2018-October/002927.html

[ANNOUNCE] xorg-server 1.20.3
https://lists.x.org/archives/xorg-announce/2018-October/002928.html

openbsd-0day-cve-2018-14665.sh
https://hacker.house/releasez/expl0itz/openbsd-0day-cve-2018-14665.sh

OpenBSD #0day Xorg LPE via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console.
https://twitter.com/hackerfantastic/status/1055568290112831490

CVE-2018-14665 : Xorg X Server Vulnerabilities
https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html

CVE-2018-14665 : Another way of exploitation using “-modulepath”
https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html

Xorg and Fun With Local Root Privileges
https://github.com/shirkdog/CharmBUG/blob/master/Presentations/XorgandFunWithLocalRootPrivileges-112818.pdf

CVE-2018-14665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665

CVE-2018-14665
https://nvd.nist.gov/vuln/detail/CVE-2018-14665

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.