this isn't an exploit - I let others write that ;) (don't
have time for that).
But five minutes ago I found something that might be abused:
On my (RedHat4.2) linux box, I find:
/tmp/.X11-unix/X0=
A UNIX domain socket of the X server I assume.
The permissions are:
drwxrwxrwt 3 root root 1024 Nov 14 01:38 /tmp/
drwxrwxrwx 2 root users 1024 Nov 14 01:56 /tmp/.X11-unix/
srwxrwxrwx 1 root users 0 Nov 13 23:09 X0
So, as any user (I did it as 'nobody'), I can do:
rm /tmp/.X11-unix/X0
After which X doesn't work anymore (can't open a new terminal).
I can also do:
cd /tmp/.X11-unix
mv X0 Y0
(can't open an xterm)
mv Y0 X0
(everything works again).
Now I didn't test the following, but doesn't this mean that I can
- as nobody - mv X0 Y0; open a new X0 socket and start to accept
connections, piping everything to Y0, reading everything people
type, like passwords when they use 'su' ? ...
Carlo Wood
PS This is my first post, so I expect to make a terrible error
here somehow ;). If so, I hope the moderator will simply
refuse the post.
-- carlo@runaway.xs4all.nl, Run @ IRC.ircd development: http://www.xs4all.nl/~carlo17/ircd-dev