CVE-1999-1347

Vulnerability

In Red Hat Linux 6.1 and earlier, the Xsession script fails to enforce the execution of a user's .xsession file when the user selects KDE, GNOME, or anotherlevel session from kdm. This bypass occurs because Xsession directly starts the chosen environment without first checking the user's shell or requiring the .xsession to be run. Affected versions include Red Hat Linux 6.0 and 6.1 [1].

Exploitation

A local user with a restricted account (e.g., one configured with a special shell and .xsession intended to limit activity) can exploit this by simply choosing KDE, GNOME, or anotherlevel from the kdm login manager. No additional authentication or privileges beyond the restricted account are required; the Xsession script immediately starts the requested desktop environment, bypassing any restrictions set in .xsession [1].

Impact

Successful exploitation allows a restricted local user to bypass the intended execution of the .xsession file, which may limit or monitor their activities. This can lead to unauthorized access to a full desktop environment (KDE/GNOME) or another level, potentially enabling the user to circumvent account-specific controls, run arbitrary commands, or access resources that the .xsession was designed to block. The compromise results in a local privilege escalation within the scope of the user's account [1].

Mitigation

Red Hat has not released a specific patch for this issue. As a workaround, system administrators can modify the Xsession script to verify that the user's shell is listed in /etc/shells before starting a KDE, GNOME, or anotherlevel session, as suggested in the advisory [1]. Alternatively, administrators may restrict access to kdm or configure the login manager to only allow the default Xsession. No CVE listing in the known exploited vulnerabilities (KEV) catalog is available for this issue.