CVE-2018-14665 - Incorrect Authorization

Severity

72%

Complexity

39%

Confidentiality

165%

A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

CVSS 3.0 Base Score 6.6. CVSS Attack Vector: physical. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Demo Examples

Incorrect Authorization

CWE-863

The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.


               
}
}
setcookie("role", $role, time()+60*60*2);
die("\n");
DisplayMedicalHistory($_POST['patient_ID']);
die("You are not Authorized to view this record\n");

The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system.

Overview

First reported 6 years ago

2018-10-25 20:29:00

Last updated 5 years ago

2019-10-22 23:15:00

Affected Software

RedHat Enterprise Linux Desktop 7.0

7.0

RedHat Enterprise Linux Server 7.0

7.0

Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.6

7.6

Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.6

7.6

Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6

7.6

RedHat Enterprise Linux Workstation 7.0

7.0

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 18.04 LTS Edition

18.04

Canonical Ubuntu Linux 18.10

18.10

Debian Linux 9.0

9.0

References

http://packetstormsecurity.com/files/154942/Xorg-X11-Server-SUID-modulepath-Privilege-Escalation.html

http://packetstormsecurity.com/files/155276/Xorg-X11-Server-Local-Privilege-Escalation.html

105741

Third Party Advisory, VDB Entry

1041948

Third Party Advisory, VDB Entry

RHSA-2018:3410

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14665

Issue Tracking, Patch, Third Party Advisory

https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e

Patch, Third Party Advisory

https://gitlab.freedesktop.org/xorg/xserver/commit/8a59e3b7dbb30532a7c3769c555e00d7c4301170

Patch, Third Party Advisory

[xorg-announce] 20181025 X.Org security advisory: October 25, 2018

Mitigation, Patch, Vendor Advisory

GLSA-201810-09

Third Party Advisory

USN-3802-1

Third Party Advisory

DSA-4328

Third Party Advisory

45697

Exploit, Third Party Advisory, VDB Entry

45742

Exploit, Third Party Advisory, VDB Entry

45832

Exploit, Third Party Advisory, VDB Entry

45908

Exploit, Third Party Advisory, VDB Entry

45922

Exploit, Third Party Advisory, VDB Entry

45938

Exploit, Third Party Advisory, VDB Entry

46142

Exploit, Third Party Advisory, VDB Entry

https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html

Exploit, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.