[failsafeXinit] launches gnome-terminal or gedit as root without a password

Bug #310126 reported by Anders Kaseorg on 2008-12-21
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xorg (Ubuntu)
Bryce Harrington
Bryce Harrington

Bug Description

Binary package hint: xorg

If GDM detects that X is failing to start the normal way, it launches /etc/gdm/failsafeXServer and /etc/gdm/failsafeXinit, which present a friendly dialog to help the user recover:

Ubuntu Failsafe-X
What would you like to do?
(*) Run Ubuntu in low-graphics mode for just this session
( ) Reconfigure graphics
( ) Troubleshoot the error
( ) Open a terminal

The “Open a terminal” option opens a gnome-terminal as root, *without asking for a password*.

Needless to say, this is a really dumb security problem. There are many things an attacker could do to force GDM to detect that the X server is crashing, such as repeatedly hitting Ctrl+Alt+Backspace. Therefore, anyone can walk up to a running Ubuntu system, open a root terminal, and quickly compromise it.

Some of the other options allow reconfiguring/editing the Xorg configuration, and should similarly require a password.

Related branches

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg - 1:7.4~5ubuntu8

xorg (1:7.4~5ubuntu8) jaunty; urgency=low

  * Disable terminal to prevent root access (LP: #310126)

 -- Bryce Harrington <email address hidden> Sun, 21 Dec 2008 00:05:19 -0800

Changed in xorg:
status: New → Fix Released
Anders Kaseorg (andersk) wrote :

Thanks for the quick upload, but you’ve introduced a syntax error in /etc/gdm/failsafeXinit (empty shell functions are not allowed), breaking the failsafe menu entirely:

  run_terminal() {
  # Causes bug #310126
  # gnome-terminal

This might be fortunate from a security standpoint, though, because “Open a terminal” is not the only possible attack on the menu. Some others that I found fairly quickly are
  Troubleshoot the error → Review the xserver log file → File → Open → /etc/passwd
  Troubleshoot the error → Review the startup errors → File → Open → /etc/passwd
  Troubleshoot the error → Edit configuration file → File → Open → /etc/passwd

And who knows what damage you might be able to do even with just dexconf or xorgconf (setting a malicious ModulePath?).

Basically, all options other than “Run Ubuntu in low-graphics mode for just this session” are fundamentally dangerous; they need to be password-protected.

Changed in xorg:
status: Fix Released → New
Bryce Harrington (bryce) wrote :

No, there's no actual way to run that function from the UI. It is entirely commented out from the menu.

Feel free to attach a patch if you'd like different behavior.

Changed in xorg:
status: New → Fix Released
Anders Kaseorg (andersk) wrote :

Yes, the “Open a terminal” attack is gone now, but there are still other attacks that I mentioned above. The “Troubleshoot the error” option leads to a menu including three options that each launch gedit as root (“Review the xserver log file”, “Review the startup errors”, “Edit configuration file”). gedit can be used to edit the /etc/passwd file, for example, and compromise the system almost as quickly. I’ll retitle the bug to make the scope of the problem clearer.

These vulnerabilities are present in both Intrepid and Jaunty.

Changed in xorg:
status: Fix Released → New

So do you have a patch to propose? Otherwise this may need to wait a bit.

Changed in xorg:
status: New → Incomplete
Bryce Harrington (bryce) wrote :

We're closing this bug since it is has been some time with no response from the original reporter. However, if the issue still exists please feel free to reopen with the requested information. Also, if you could, please test against the latest development version of Ubuntu, since this confirms the bug is one we may be able to pass upstream for help.

Changed in xorg:
status: Incomplete → Invalid
Anders Kaseorg (andersk) wrote :

This vulnerability has not gone away; failsafeXinit still allows an untrusted user to run gedit as root. I don’t have an ultimate solution, but removing the three vulnerable options would be a good first step. We could then open up this bug (or a new bug) so that other contributors can figure out how to add back this functionality in a secure way.

Changed in xorg:
status: Invalid → New
Anders Kaseorg (andersk) wrote :

Here is a debdiff for Jaunty that simply removes the vulnerable options.

Anders Kaseorg (andersk) wrote :

And an equivalent debdiff for Intrepid.

Kees Cook (kees) wrote :

bpx needs to prompt for a root password if one exists. "sulogin" has a similar behavior.

Changed in xorg:
assignee: nobody → bryceharrington
importance: Undecided → Medium
milestone: none → ubuntu-9.04-beta
status: New → Triaged
assignee: nobody → bryceharrington
importance: Undecided → Medium
status: New → Triaged
Kees Cook (kees) wrote :

For example:

SUSHELL=/path/to/bpx sulogin

Bryce Harrington (bryce) on 2009-03-17
Changed in xorg (Ubuntu Jaunty):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg - 1:7.4~5ubuntu16

xorg (1:7.4~5ubuntu16) jaunty; urgency=low

  [Tormod Volden]
  * apport/source_xorg.py: Use grep directly instead of shelling out, and
    look in /proc/modules as well. Also only set 'fglrx-installed' if
    there was a definite match.

  [Bryce Harrington]
  * x11-common.links: Add apport support for a several more packages.
  * local/Xsession.d/60x11-common_localhost:
    - Rename from 60x11-localhost for consistency (LP: #340807)
    - Redirect stderr in an sh-safe fashion
  * x11-common.postinst.in, x11-common.preinst.in, x11-common.postrm.in:
    - Remove renamed 60x11-localhost; handle upgrade failures gracefully
  * local/dexconf, local/Failsafe/failsafeDexconf:
    - Add hooks for Sun's virtualbox (LP: #319373)
  * local/Failsafe/failsafeXinit:
    - Use zenity for viewing logs, and vt2 for console login
      (LP: #310126)
    - Make translatable (LP: #335678)
  * apport/source_xorg.py: Suppress warning about keyboard geometry on :0
    (LP: #315777)

 -- Bryce Harrington <email address hidden> Wed, 18 Mar 2009 13:54:27 -0700

Changed in xorg:
status: Fix Committed → Fix Released
Anders Kaseorg (andersk) wrote :

edit_config() {
    backup_xorg_conf || return 1

    xorg_conf_tmp=$(mktmp "/tmp/xorg.conf.XXXXXXXX")
    cp /etc/X11/xorg_conf ${xorg_conf_tmp}
    zenity --text-info --editable --filename=${xorg_conf_tmp} --width=640 --height=480 > "/etc/X11/xorg.conf"

There is a typo on the cp line: /etc/X11/xorg_conf should be /etc/X11/xorg.conf .

Also, this will cause xorg.conf to be overwritten with an empty file if the user hits Esc at the zenity prompt. The last two lines should be replaced with
    zenity --text-info --editable --filename=/etc/X11/xorg.conf --width=640 --height=480 > "$xorg_conf_tmp" && \
      mv "$xorg_conf_tmp" /etc/X11/xorg.conf

Finally, are you SURE that a malicious user can’t gain any kind of unauthorized access by editing xorg.conf?

Kees Cook (kees) on 2009-03-30
visibility: private → public
Bryce Harrington (bryce) on 2009-10-13
Changed in xorg (Ubuntu Intrepid):
assignee: Bryce Harrington (bryceharrington) → nobody
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in xorg (Ubuntu Intrepid):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers