Announcement

Collapse
No announcement yet.

X Server Security Disaster: "It's Worse Than It Looks"

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • X Server Security Disaster: "It's Worse Than It Looks"

    Phoronix: X Server Security Disaster: "It's Worse Than It Looks"

    There's X.Org Server security vulnerabilities -- even for vulnerabilities going back two decades -- from time to time and in related components of the Linux graphics stack. Parts of the X.Org stack can be in fairly rough shape given the age of X11, but a very poor picture of it was painted at the Chaos Communication Congress. It was stated that the X.Org security is even worse than it looks...

    http://www.phoronix.com/vr.php?view=MTU1NzA

  • #2
    We should give X.Org another shot, in the back of the head, die!

    Comment


    • #3
      At least the monstrocity known as X.org is finally going away. X.org sucked from day #1, but it was the first and only available free display server, so it became "standard".

      Comment


      • #4
        Really though, if you look at the other 30C3 stories, the overall theme is "The security of all tech is worse than you think."

        Comment


        • #5
          Originally posted by alanc View Post
          Really though, if you look at the other 30C3 stories, the overall theme is "The security of all tech is worse than you think."
          I've always been of the opinion 'Never think you're 100%. Just do what you can to reduce the attack vector's' and I can sleep at night.

          Thankfully I'm not in charge of a security team, otherwise I'd probably have been given the arse long ago!

          Comment


          • #6
            Originally posted by alanc View Post
            Really though, if you look at the other 30C3 stories, the overall theme is "The security of all tech is worse than you think."
            Isn't that pretty much true though... for all eternity? You make things as good as you can and then do your best to keep pace with the "enemy" (quotes because I dont think its a particularly valid term, but nothing fit better)

            I'm sure Wayland and Mir will have their fair share of security snaffoo's, just as all projects will. I'm about to check out the actual presentation, but just reading Michael's article and reading your own post to the mailing list Alan, my initial impression is: "writing a monolithic psuedo-OS monstrosity who's core hasn't changed in 30yrs is a bad idea!" news at 11.

            Comment


            • #7
              Just watched the video. Headline should of said "Several 0 day Qt exploits that Qt devs won't fix and don't care if they are made public".

              Comment


              • #8
                Hoping for Wayland

                Sorry to hear about X.org's security issues, but hopefully it will provide even more impetus to get Wayland installed as the default graphics system as soon as possible.

                The big move from X to Wayland will arguably be the most important change ever to hit Linux. As so many applications will have to be rewritten to take full advantage of Wayland, the move will be a bit traumatic, but worth it I think.

                Comment


                • #9
                  Originally posted by Candide View Post
                  The big move from X to Wayland will arguably be the most important change ever to hit Linux. As so many applications will have to be rewritten to take full advantage of Wayland, the move will be a bit traumatic, but worth it I think.
                  For a normal software, shouldn't it be enough to change to the Wayland version of your widget toolkit?

                  Comment


                  • #10
                    How many of these are REMOTE vulnerabilites

                    Originally posted by phoronix View Post
                    Phoronix: X Server Security Disaster: "It's Worse Than It Looks"

                    There's X.Org Server security vulnerabilities -- even for vulnerabilities going back two decades -- from time to time and in related components of the Linux graphics stack. Parts of the X.Org stack can be in fairly rough shape given the age of X11, but a very poor picture of it was painted at the Chaos Communication Congress. It was stated that the X.Org security is even worse than it looks...

                    http://www.phoronix.com/vr.php?view=MTU1NzA
                    How many of these can be used for an over-the-network attack, assuming that an ssl server is not being run with X11 forwarding and no remote desktop viewing tool is in operation, There is a huge difference between someone who has already booted your computer being able to get root (physical access=root for high secureity work!) and someone able to root your box over the network and past a router.

                    Comment


                    • #11
                      Originally posted by Luke View Post
                      How many of these can be used for an over-the-network attack...
                      If you start X with -nolisten tcp, as virtually all distros have done by default for years now, then pretty much all security holes in X in the past few years have been limited to people who can already access your machine - either physically or remote login via ssh. Many allow such users to raise their privileges, which is a problem in business, government, or school settings, but not so much on your personal/home machine where you can just use su or sudo to do that already.

                      Comment


                      • #12
                        Originally posted by alanc View Post
                        pretty much all security holes in X in the past few years have been limited to people who can already access your machine
                        I should have said "or software they run" - since no one can fully audit all of the source code for every binary they run, there are risks of software trying to sneak one past you, but that's true whether you run X or anything else. (And as a number of the other 30C3 talks emphasized, there's far more software running than you realize, such as the CPUs in your flash memory cards or hard disk, or pretty much every piece of silicon in the system. Having source to the software running in the OS at the top of the stack is just the tip of the iceberg.)

                        Comment


                        • #13
                          Originally posted by kurkosdr View Post
                          At least the monstrocity known as X.org is finally going away. X.org sucked from day #1, but it was the first and only available free display server, so it became "standard".
                          Gosh. You've forgotten, or don't know about, the XFree86 system. Compared to that, X.org was a breath of fresh air, a welcome step to a proper and convenient graphics subsystem.

                          Even then, XFree86 was not the first available free display server. That would be X386. As for the only display server, besides the ones already mentioned, there was a brief fork of XFree86 called Xouvert.

                          For all its inefficiency with modern day graphics systems, X.org does a damn fine job. It's hardly a "monstrosity". From day one, it's been a wonderful addition to the free software library. So will Wayland be, when it's ready.

                          Comment


                          • #14
                            Originally posted by ua=42 View Post
                            Just watched the video. Headline should of said "Several 0 day Qt exploits that Qt devs won't fix and don't care if they are made public".
                            That's old news, at least by a year. Though if they *still* keep it up...

                            Comment


                            • #15
                              Originally posted by Luke View Post
                              How many of these can be used for an over-the-network attack, assuming that an ssl server is not being run with X11 forwarding and no remote desktop viewing tool is in operation, There is a huge difference between someone who has already booted your computer being able to get root (physical access=root for high secureity work!) and someone able to root your box over the network and past a router.
                              I would be interested to know - not about these never used network facility - but:

                              - If you look at your favourite porn movie from your "trusted" source
                              - are there byte sequences that can escape the video stream
                              - an escaped code could then escalate priviledges on your system
                              - and install the trojan horse

                              Would that be the usable "use case" of an "unsecure" xorg server?

                              Comment

                              Working...
                              X