Xorg X server is a popular open-source implementation of the X11 system (display server) that offers a graphical environment to a wider range of hardware and OS platforms. It serves as an intermediary between client and user applications to manage graphical displays.
According to a blog post published by software security engineer Narendra Shinde, Xorg X server doesn't correctly handle and validate arguments for at least two command-line parameters, allowing a low-privileged user to execute malicious code and overwrite any file—including files owned by privileged users like root.
The flaw, tracked as CVE-2018-14665, was introduced in X.Org server 1.19.0 package that remained undetected for almost two years and could have been exploited by a local attacker on the terminal or via SSH to elevate their privileges on a target system.
The two vulnerable parameters in question are:
- -modulepath: to set a directory path to search for Xorg server modules,
- -logfile: to set a new log file for the Xorg server, instead of using the default log file that is located at /var/log/Xorg.n.log on most platforms.
"When the X server is running with elevated privileges (i.e., when Xorg is installed with the setuid bit set and started by a non-root user)." the Xorg advisory says. "The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process."
"An incorrect permission check for -modulepath and -logfile options when starting Xorg X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges." Red Hat advisory says.
Security researcher Matthew Hickey shared an easy to execute proof-of-concept exploit code earlier today on Twitter, saying "An attacker can literally take over impacted systems with 3 commands or less."
The X.Org foundation has now released X.Org Server version 1.20.3 with security patches to address the issue.
Popular distributions like OpenBSD, Debian, Ubuntu, CentOS, Red Hat, and Fedora have published their advisories to confirm the issue and working on the patch updates.