Source: cve@mitre.org
Xscreensaver 4.14 contains certain debugging code that should have been omitted, which causes Xscreensaver to create temporary files insecurely in the (1) apple2, (2) xanalogtv, and (3) pong screensavers, and allows local users to overwrite arbitrary files via a symlink attack.
Xscreensaver 4.14 suffers from a critical vulnerability allowing local users to overwrite arbitrary files. This is due to insecure temporary file creation within specific screensavers, enabling a symlink attack that can lead to system compromise and privilege escalation.
Step 1: Symlink Creation: The attacker creates a symbolic link (symlink) on the target system. The symlink points from a location where the screensaver will create a temporary file to a critical system file (e.g., /etc/passwd).
Step 2: Screensaver Execution: The attacker triggers the vulnerable screensaver (apple2, xanalogtv, or pong) to run, either by waiting for the screensaver to activate automatically or by manually starting it.
Step 3: Temporary File Creation: The screensaver attempts to create a temporary file, but due to the symlink, it actually creates a file at the location pointed to by the symlink (e.g., /etc/passwd).
Step 4: File Overwrite: The screensaver writes data to the 'temporary' file, which, due to the symlink, overwrites the target file (e.g., /etc/passwd).
Step 5: Privilege Escalation: By overwriting a critical file like /etc/passwd with attacker-controlled content (e.g., adding a new user with elevated privileges), the attacker gains control of the system.
The vulnerability stems from the use of insecure temporary file creation within the apple2, xanalogtv, and pong screensavers. Specifically, these screensavers generate temporary files without proper sanitization or checking for existing files. This allows an attacker to create a symbolic link (symlink) pointing to a critical system file (e.g., /etc/passwd). When the screensaver attempts to write to the temporary file, it instead writes to the target file specified by the symlink, enabling arbitrary file overwrite. The root cause is the lack of a secure temporary file creation mechanism, leading to a race condition where the attacker can create the symlink before the screensaver attempts to write to the file. The screensavers do not validate the target of the symlink, allowing the attacker to overwrite any file the user running the screensaver has write access to. This is a classic symlink attack vulnerability.
While no specific APTs are directly linked to this specific CVE, the nature of the vulnerability (privilege escalation) makes it attractive to any attacker seeking to compromise a system. The vulnerability could be used as part of a larger attack chain. Not listed on CISA KEV.
Monitor file system activity for unexpected symlink creations, especially in directories where screensavers create temporary files (e.g., /tmp).
Analyze system logs for suspicious file modifications, particularly to critical system files like /etc/passwd, /etc/shadow, or /etc/group.
Implement file integrity monitoring (FIM) to detect unauthorized changes to critical system files.
Monitor process execution for the vulnerable screensavers and associated file operations.
Upgrade to a patched version of Xscreensaver (e.g., 4.15 or later) that addresses the insecure temporary file creation.
If upgrading is not immediately possible, disable the vulnerable screensavers (apple2, xanalogtv, and pong).
Implement file system hardening by restricting write permissions to critical system files.
Regularly audit system configurations and file permissions to identify and remediate potential vulnerabilities.
Employ a temporary file creation library that handles the creation and management of temporary files securely.