Original issue date: November 11, 1993<BR>
Last revised: September 19, 1997<BR>
Attached copyright statement
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center is working on eliminating a vulnerability in
xterm. This vulnerability potentially affects all systems running xterm
with the setuid or setgid bit set. This vulnerability has been found in
X Version 11, Release 5 (X11R5) and earlier versions of X11.
<P>CERT is working with the vendor community to address this vulnerability.
<P><HR>
<P>
<H2>I. Description</H2>
<P>A vulnerability in the logging function of xterm exists in many
versions of xterm that operate as a setuid or setgid process. The
vulnerability allows local users to create files or modify any
existing files.
<P>If the setuid or setgid privilege bit is not set on the xterm program,
the vulnerability cannot be exploited.
<P>It is possible that the xterm on your system does not allow
logging. In this case, the vulnerability cannot be exploited. To
determine if logging is enabled, run xterm with the "-l" option. If
an "XtermLog.axxxx" file is created in the current directory, xterm
supports logging. You can also check the output of "xterm -help"
to see whether the "-l" option is described as "not supported".
<P>Another way to determine if logging is available is to look for
the "Log to File" item in the Main Options menu (press Control mouse
button 1). If the X Consortium's public patch has been installed
as distributed, the option "Log to File" should not appear in the
menu.
<P>
<H2>II. Impact</H2>
<P>This vulnerability allows anyone with access to a user account
to gain root access.
<P>
<H2>III. Solutions</H2>
<P>All of the following solutions require that a new version of xterm be
installed. When installing the new xterm, it is important either to
remove the old version of xterm or to clear the setuid and setgid
bits from the old xterm.
<P>CERT suggests one of the following solutions.
<P>
<OL><LI TYPE = "A">Install vendor supplied patch if available. CERT is hopeful that patches will be forthcoming. We will be maintaining a
status file, xterm-patch-status, and we will add patch availability
information to this file as it becomes known. The file is
available from:
<P><A HREF="http://www.cert.org/advisories/CA-1993-17/patch-status.txt">http://www.cert.org/advisories/CA-1993-17/patch-status.txt</A>
<P>For more up-to-date information, contact the vendor.
<LI><P>If your site is using the X Consortium's X11R5, install the
public patch #26. This patch is available via anonymous FTP
from ftp.x.org as the file /pub/R5/fixes/fix-26. Install all
patch files up to and including fix-26.
<P>By default, the patch disables logging. If you choose to enable
logging, a variation of the vulnerability still exists.
<P>Checksum information:
<P><PRE>
BSD Unix Sum: 19609 47
System V Sum: 51212 94
MD5 Checksum: e270560b6e497a0a71881d4ff4db8c05
</PRE>
<LI><P>If your site is using an earlier version of the X Consortium's X11,
upgrade to X11R5. Install all patches up to and including fix-26.
<LI><P>If you are unable to upgrade to the X Consortium's X11R5, modify
the xterm source code to remove the logging feature. Familiarity
with X11 and its installation and configuration is recommended
before implementing these modifications.
<P>
</OL>
<HR>
The CERT Coordination Center wishes to thank Stephen Gildea of the
X Consortium for his assistance in responding to this problem.
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1993 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
September 19,1997 Attached Copyright Statement
</PRE>
|