Vulnerabilities > CVE-2006-0745 - Local Privilege Escalation vulnerability in X.Org X Window Server
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 2 | |
| OS | 1 | |
| OS | 1 | |
| OS | 1 |
Exploit-Db
| description | X.Org X11 (X11R6.9.0/X11R7.0) Local Root Privilege Escalation Exploit. CVE-2006-0745. Local exploit for linux platform |
| id | EDB-ID:1596 |
| last seen | 2016-01-31 |
| modified | 2006-03-20 |
| published | 2006-03-20 |
| reporter | H D Moore |
| source | https://www.exploit-db.com/download/1596/ |
| title | X.Org X11 X11R6.9.0/X11R7.0 - Local Root Privilege Escalation Exploit |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2006-172.NASL description Coverity scanned the X.Org source code for problems and reported their findings to the X.Org development team. Upon analysis, Alan Coopersmith, a member of the X.Org development team, noticed a couple of serious security issues in the findings. In particular, the Xorg server can be exploited for root privilege escalation by passing a path to malicious modules using the -modulepath command line argument. Also, the Xorg server can be exploited to overwrite any root writable file on the filesystem with the -logfile command line argument. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21101 published 2006-03-21 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21101 title Fedora Core 5 : xorg-x11-server-1.0.1-9 (2006-172) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-172. # include("compat.inc"); if (description) { script_id(21101); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_cve_id("CVE-2006-0745"); script_xref(name:"FEDORA", value:"2006-172"); script_name(english:"Fedora Core 5 : xorg-x11-server-1.0.1-9 (2006-172)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Coverity scanned the X.Org source code for problems and reported their findings to the X.Org development team. Upon analysis, Alan Coopersmith, a member of the X.Org development team, noticed a couple of serious security issues in the findings. In particular, the Xorg server can be exploited for root privilege escalation by passing a path to malicious modules using the -modulepath command line argument. Also, the Xorg server can be exploited to overwrite any root writable file on the filesystem with the -logfile command line argument. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2006-March/001872.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?77e9aff9" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xorg-x11-server-Xdmx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xorg-x11-server-Xnest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xorg-x11-server-Xorg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xorg-x11-server-Xvfb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xorg-x11-server-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xorg-x11-server-sdk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2006/03/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"xorg-x11-server-Xdmx-1.0.1-9")) flag++; if (rpm_check(release:"FC5", reference:"xorg-x11-server-Xnest-1.0.1-9")) flag++; if (rpm_check(release:"FC5", reference:"xorg-x11-server-Xorg-1.0.1-9")) flag++; if (rpm_check(release:"FC5", reference:"xorg-x11-server-Xvfb-1.0.1-9")) flag++; if (rpm_check(release:"FC5", reference:"xorg-x11-server-debuginfo-1.0.1-9")) flag++; if (rpm_check(release:"FC5", reference:"xorg-x11-server-sdk-1.0.1-9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xorg-x11-server-Xdmx / xorg-x11-server-Xnest / xorg-x11-server-Xorg / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_016.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:016 (xorg-x11-server). A programming flaw in the X.Org X Server allows local attackers to gain root access when the server is setuid root, as is the default in SUSE Linux 10.0. This flaw was spotted by the Coverity project. Only SUSE Linux 10.0 is affected, older products do not include the problematic piece of code. This problem is tracked by the Mitre CVE ID CVE-2006-0745. last seen 2019-10-28 modified 2006-03-23 plugin id 21137 published 2006-03-23 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21137 title SUSE-SA:2006:016: xorg-x11-server code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:016 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(21137); script_version ("1.8"); name["english"] = "SUSE-SA:2006:016: xorg-x11-server"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:016 (xorg-x11-server). A programming flaw in the X.Org X Server allows local attackers to gain root access when the server is setuid root, as is the default in SUSE Linux 10.0. This flaw was spotted by the Coverity project. Only SUSE Linux 10.0 is affected, older products do not include the problematic piece of code. This problem is tracked by the Mitre CVE ID CVE-2006-0745." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/advisories/2006_16_xorgx11server.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/23"); script_end_attributes(); summary["english"] = "Check for the version of the xorg-x11-server package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"xorg-x11-server-6.8.2-100.4", release:"SUSE10.0") ) { security_hole(0); exit(0); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_61534682B8F411DA8E62000E0C33C2DC.NASL description Daniel Stone of X.Org reports : During the analysis of results from the Coverity code review of X.Org, we discovered a flaw in the server that allows local users to execute arbitrary code with root privileges, or cause a denial of service by overwriting files on the system, again with root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 21441 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21441 title FreeBSD : xorg-server -- privilege escalation (61534682-b8f4-11da-8e62-000e0c33c2dc) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(21441); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2006-0745"); script_name(english:"FreeBSD : xorg-server -- privilege escalation (61534682-b8f4-11da-8e62-000e0c33c2dc)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Daniel Stone of X.Org reports : During the analysis of results from the Coverity code review of X.Org, we discovered a flaw in the server that allows local users to execute arbitrary code with root privileges, or cause a denial of service by overwriting files on the system, again with root privileges." ); script_set_attribute( attribute:"see_also", value:"https://bugs.freedesktop.org/show_bug.cgi?id=6213" ); # https://vuxml.freebsd.org/freebsd/61534682-b8f4-11da-8e62-000e0c33c2dc.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5e558524" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:xorg-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/20"); script_set_attribute(attribute:"patch_publication_date", value:"2006/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"xorg-server=6.9.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-056.NASL description Versions of Xorg 6.9.0 and greater have a bug in xf86Init.c, which allows non-root users to use the -modulepath, -logfile and -configure options. This allows loading of arbitrary modules which will execute as the root user, as well as a local DoS by overwriting system files. Updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21114 published 2006-03-21 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21114 title Mandrake Linux Security Advisory : xorg-x11 (MDKSA-2006:056)
Oval
| accepted | 2011-05-09T04:01:19.512-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| description | X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:1697 | ||||||||
| status | accepted | ||||||||
| submitted | 2006-03-21T04:03:00.000-04:00 | ||||||||
| title | X.Org Privilege Escalation Vulnerability in X11R6.9, X11R7.0 | ||||||||
| version | 36 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/150554/xorgx11modulepath-escalate.txt |
| id | PACKETSTORM:150554 |
| last seen | 2018-12-01 |
| published | 2018-12-01 |
| reporter | Marco Ivaldi |
| source | https://packetstormsecurity.com/files/150554/xorg-x11-server-modulepath-Local-Privilege-Escalation.html |
| title | xorg-x11-server modulepath Local Privilege Escalation |
References
- http://secunia.com/advisories/19256
- http://secunia.com/advisories/19307
- http://secunia.com/advisories/19311
- http://secunia.com/advisories/19316
- http://secunia.com/advisories/19676
- http://securityreason.com/securityalert/606
- http://securitytracker.com/id?1015793
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102252-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-078.htm
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:056
- http://www.novell.com/linux/security/advisories/2006_16_xorgx11server.html
- http://www.osvdb.org/24000
- http://www.osvdb.org/24001
- http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00026.html
- http://www.securityfocus.com/archive/1/428183/100/0/threaded
- http://www.securityfocus.com/archive/1/428230/100/0/threaded
- http://www.securityfocus.com/bid/17169
- http://www.vupen.com/english/advisories/2006/1017
- http://www.vupen.com/english/advisories/2006/1028
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25341
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1697