Xscreensaver 4.14 contains certain debugging code that should have been omitted, which causes Xscreensaver to create temporary files insecurely in the (1) apple2, (2) xanalogtv, and (3) pong screensavers, and allows local users to overwrite arbitrary files via a symlink attack.
Xscreensaver 4.14 suffers from a critical local privilege escalation vulnerability. This flaw allows attackers to overwrite arbitrary files on the system by exploiting insecure temporary file creation within specific screensavers, potentially leading to complete system compromise. Successful exploitation grants attackers the ability to execute malicious code with elevated privileges.
Step 1: Symlink Creation: The attacker creates a symbolic link, pointing from a predictable temporary file path used by the vulnerable screensaver (e.g., /tmp/xscreensaver_temp_file) to a target file they want to overwrite (e.g., /etc/shadow).
Step 2: Screensaver Activation: The attacker triggers the vulnerable screensaver (e.g., by logging in and waiting for the screensaver to activate).
Step 3: File Write: The screensaver, unaware of the symlink, attempts to write data to its temporary file. Because of the symlink, this write operation actually modifies the attacker-controlled target file (e.g., /etc/shadow).
Step 4: Privilege Escalation: The attacker leverages the overwritten file (e.g., by adding a new user with root privileges to /etc/passwd or modifying the password hash in /etc/shadow) to gain elevated privileges.
The vulnerability stems from the insecure creation of temporary files within the apple2, xanalogtv, and pong screensavers. Specifically, these screensavers use hardcoded paths and predictable filenames for temporary files, combined with insufficient access control. This allows a local attacker to create a symbolic link (symlink) pointing to a critical system file (e.g., /etc/shadow, /etc/passwd). When the vulnerable screensaver attempts to write to its temporary file, it instead writes to the target file specified by the symlink, leading to arbitrary file overwrite. The root cause is the lack of proper input validation and secure temporary file handling, leading to a symlink attack and a race condition between the attacker creating the symlink and the screensaver writing to the file. The use of hardcoded paths and predictable filenames exacerbates the vulnerability, making it easier to exploit.