{"vuid":"VU#300368","idnumber":"300368","name":"X.Org fails to check for setuid failure on Linux systems","keywords":["X.Org","X11","privilege escalation","setuid"],"overview":"Programs distributed as part of the X.Org software distribution fail to properly handle test results for effective user ID. This vulnerability may lead to privilege escalation.","clean_desc":"Linux, like most Unix systems, provides a system call, setuid(), to set the effective user ID of a process. A vulnerability exists in X.Org versions 6.7.0 through 7.1 on systems where setuid() may fail, even when invoked by a process running as root. In reference to systems using the Linux 2.6 kernel, X.Org Security Advisory, June 20th, 2006 states: This is because there is a 'maximum processes' ulimit, which is honoured by setuid(), seteuid(), and setgid(). These functions may fail because of this ulimit; if the return value is not checked, then code which is assumed to be running unprivileged, may in fact be running with uid 0. This vulnerability is exposed on systems based on the Linux 2.6 kernel through any program supplied with the X.Org distribution that typically runs with elevated privileges (setuid to root), such as xterm, xdm, the X server, etc.","impact":"This vulnerability may allow an authenticated attacker to run arbitrary code with elevated privileges.","resolution":"Upgrade or apply a patch from the vendor\nPatches have been released to address this issue. See the systems affected section of this document for information about specific vendors. Users who compile the X.Org software distribution from source code are encouraged to update to the most recent version.","workarounds":"","sysaffected":"","thanks":"This issue was reported in\n X.Org Security Advisory, June 20th, 2006\n. X.Org credits \nDirk Mueller and Marcus Meissner\n for reporting this issue.","author":"This document was written by Chris Taschner.","public":["http://lists.freedesktop.org/archives/xorg/2006-June/016146.html","http://secunia.com/advisories/21650/","http://www.securityfocus.com/bid/19742","http://www.frsirt.com/english/advisories/2006/3409","http://secunia.com/advisories/21650","http://secunia.com/advisories/21660","http://secunia.com/advisories/21693","http://secunia.com/advisories/22332"],"cveids":["CVE-2006-4447"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-10-12T14:34:38Z","publicdate":"2006-08-29T00:00:00Z","datefirstpublished":"2006-10-25T18:14:35Z","dateupdated":"2006-10-25T18:14:51Z","revision":23,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"20","cam_impact":"4","cam_easeofexploitation":"3","cam_attackeraccessrequired":"1","cam_scorecurrent":"0.0675","cam_scorecurrentwidelyknown":"0.09","cam_scorecurrentwidelyknownexploited":"0.18","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.0675,"vulnote":null}