@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16) Title: Local privilege escalation on Solaris 11.x via xscreensaver Application: Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4 Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3 Other versions starting from 5.06 are potentially affected Platforms: Oracle Solaris 11.x (tested on 11.4 and 11.3) Other platforms are potentially affected (see below) Description: A local attacker can gain root privileges by exploiting a design error vulnerability in the xscreensaver distributed with Solaris Author: Marco Ivaldi Vendor Status: notified on 2019-07-09 CVE Name: CVE-2019-3010 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8) References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.jwz.org/xscreensaver/ https://www.oracle.com/technetwork/server-storage/solaris11/ https://www.mediaservice.net/ https://0xdeadbeef.info/ 1. Abstract. Exploitation of a design error vulnerability in xscreensaver, as distributed with Solaris 11.x, allows local attackers to create (or append to) arbitrary files on the system, by abusing the -log command line switch introduced in version 5.06. This flaw can be leveraged to cause a denial of service condition or to escalate privileges to root. 2. Example Attack Session. raptor@stalker:~$ cat /etc/release Oracle Solaris 11.4 X86 Copyright (c) 1983, 2018, Oracle and/or its affiliates. All rights reserved. Assembled 16 August 2018 raptor@stalker:~$ uname -a SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc raptor@stalker:~$ id uid=100(raptor) gid=10(staff) raptor@stalker:~$ chmod +x raptor_xscreensaver raptor@stalker:~$ ./raptor_xscreensaver raptor_xscreensaver - Solaris 11.x LPE via xscreensaver Copyright (c) 2019 Marco Ivaldi [...] Oracle Corporation SunOS 5.11 11.4 Aug 2018 root@stalker:~# id uid=0(root) gid=0(root) 3. Affected Platforms. This vulnerability was confirmed on the following platforms: * Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation] * Oracle Solaris 11.x SPARC [untested] Previous Oracle Solaris 11 versions might also be vulnerable. Based on our analysis and on feedback kindly provided by Alan Coopersmith of Oracle, we concluded that this is a Solaris-specific vulnerability, caused by the fact that Oracle maintains a slightly different codebase from the upstream one. Alan explained this as follows: "The problem in question here appears to be inherited from the long-ago fork [originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based unlock dialog with accessibility support to replace the non-accessible Xlib unlock dialog that upstream provides, which moves the uid reset to after where the log file opening was later added." Specifically, the problem arises because of this bit of Solaris patches: https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770 As an interesting side note, it appears Red Hat dropped this code back in 2002 with version 4.05-5: https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179 4. Fix. Oracle has assigned the tracking# S1182608 and has released a fix for all affected and supported versions of Solaris in their Critical Patch Update (CPU) of October 2019. As a temporary workaround, it is also possible to remove the setuid bit from the xscreensaver executable as follows (note that this might prevent it from working properly): bash-3.2# chmod -s /usr/bin/xscreensaver 5. Proof of Concept. An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It can be downloaded from: https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver Copyright (c) 2019 @Mediaservice.net. All rights reserved.