X.org, the X Window server used by various desktop Linux and BSD operating systems, has – depending on its configuration – a security vulnerability that can be exploited to gain root powers.
If a vulnerable version of X.org runs on a system as setuid root, it can be abused by normal logged-in users to gain administrator-level control over the machine. That would allow a miscreant to tamper with files, install spyware, and so on. Some Linux distros don't use X.org with elevated privileges, or are otherwise immune – such as CentOS; check for security updates anyway.
Specifically, the flaw, designated CVE-2018-14665, can be exploited to inject user-supplied code into a root-privileged X.org process, via the -modulepath command line switch, or overwrite files on the system, via the -logfile switch. The latter can be used to overwrite the shadow password file on a computer to allow access to the root user without a password.
This Red Hat bug report described it as “an incorrect permission check for -modulepath and -logfile options when starting X.Org," adding: "X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.”
It's trivially exploitable, as Matthew Hickey, cofounder of British security shop Hacker House, tweeted:
cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su
This, the tweet explained, will “overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other X.org desktop also affected.”
"The bug is so simple, it's amazing that it slipped through into OpenBSD 6.4: usually the OS is more resilient to such attacks," he told The Register.
"The worst part is this type of bug is a classic 1990s-era mistake: overwriting files requires no complex memory corruption techniques. A few simple commands and you can become root. It's going to be widespread in a lot of places, and as it's so easy to exploit, it will be used quickly by attackers.
"Weaknesses in the desktop components have been a source of privilege escalation attacks for years, but we haven't seen one this trivial to exploit for some time."
X.Org's advisory goes into more detail, and explains why the bug isn't present across all operating system distributions. The bug was introduced in X.Org server 1.19.0, released in November 2016, and discovered by Narendra Shinde.
If you can't patch, there are workarounds: either remove the setuid bit from the X.Org binary, which its developers warn can break systems starting the X Window system using startx or xinit. Alternatively, simply use a display manager to start X sessions.
A two-year-old bug is nowhere near a record for X.Org. Back in 2014, IOActive's Ilja van Sprundel found a 27-year-old bug in the X Window server. ®