View Source

Original issue date: May 1, 1997<BR>
Last revised: January 5, 1998<BR>
 Added vendor information for SGI.


<P>A complete revision history is at the end of this file.

<P>There have been discussions on public mailing lists about buffer overflows
in the Xt library of the X Windowing System made freely available by The
Open Group (and previously by the now-defunct X Consortium). The specific
problem outlined in those discussions was a buffer overflow condition in
the Xt library, and the file xc/lib/Xt/Error.c. Exploitation scripts were
made available.

<P>Since then (the latter half of 1996), The Open Group has extensively
reviewed the source code for the entire distribution to address the potential
for further buffer overflow conditions. These conditions can make it possible
for a local user to execute arbitrary instructions as a privileged user
without authorization.

<P>The programs that pose a potential threat to sites are those programs
that have been built from source code prior to X11 Release 6.3 and have
setuid or setgid bits set. Some third-party vendors distribute derivatives
of the X Window System, and if you use a distribution that includes X tools
that have setuid or setgid bits set, you may be vulnerable as well.

<P>The CERT/CC team recommends upgrading to X11 Release 6.3 or installing
a patch from your vendor. If you cannot do one of these, then as a last
resort we recommend that you remove the setuid or setgid bits from any
executable files contained in your distribution of X; this may have an
adverse effect on some system operations.

<P>We will update this advisory as we receive additional information. Please
check advisory files regularly for updates that relate to your site.

<P><HR>
<H2>I. Description</H2>
There have been discussions on public mailing lists about buffer overflows
in the Xt library of the X Windowing System made freely available by The
Open Group (and previously by the now-defunct X Consortium). During these
discussions, exploitation scripts were made available for some platforms.**

<P>The specific problem outlined in those discussions was a buffer overflow
condition in the Xt library and the file xc/lib/Xt/Error.c. It was possible
for a user to execute arbitrary instructions as a privileged user using
a program built by this distribution with setuid or setgid bits set.

<P>Note that in this case a root compromise was only possible when programs
built from this distribution (e.g., xterm) were setuid root.
<BR>Since then The Open Group has extensively reviewed the source code
for the entire distribution to address the potential for further buffer
overflow condition.

<P>If you use a distribution of the X Windowing System earlier than X11
Release 6.3 that you downloaded and compiled yourself, we encourage you
to take the steps outlined in either Section IV A or C.

<P>If you use third-party vendor-supplied distributions of the X Windowing
System containing setuid root programs, we encourage you to take the steps
outlined in Sections IV B or C.

<P>** Note: Discussions of this specific instance of the vulnerability
appeared on mailing lists during the second half of 1996. Exploitation
scripts were made public at that time.
<H2>II. Impact</H2>
Platforms that have X applications built with the setuid or setgid bits
set may be vulnerable to buffer overflow conditions. These conditions can
make it possible for a local user to execute arbitrary instructions as
a privileged user without authorization. Access to an account on the system
is necessary for exploitation.
<BR>
<BR>
<H2>III. Finding Potentially Vulnerable Distributions</H2>

<H3>A. For Sites That Download and Build Their Own Distributions</H3>
As discussed earlier, the programs that pose a potential threat to sites
are those programs that have been built from source code, prior to X11
Release 6.3 and have setuid or setgid bits set.

<P>Sites that have downloaded the X source code from the X Consortium should
be able to identify such programs by looking in the directory hierarchy
defined by the "ProjectRoot" constant described in the xc/config/cf/site.def
file in the source code distribution. The default is /usr/X11R6.3. The
X11R6.3 Installation Guide states:

<P>"ProjectRoot
<UL>The destination where X will be installed. This variable needs to be
set before you build, as some programs that read files at run-time have
the installation directory compiled in to them. Assuming you have set the
variable to some value /path, files will be installed into /path/bin, /path/include/X11,
/path/lib, and /path/man."</UL>

<H3>B. For Vendor-Supplied Distributions</H3>
Some third-party vendors distribute derivatives of the X Window System.
If you use a distribution that includes X tools that have setuid or setgid
bits set, then you may need to apply Solution B or C in Section IV.

<P>If you use a distribution that does not have setuid or setgid bits enabled
on any X tools, then you do not need to take any of the steps listed below.

<P>Below is a list of vendors who have provided information about this
problem. If your vendor's name is not on this list and you need clarification,
you should check directly with your vendor.
<BR>
<H2>IV. Solution</H2>
If any X tools that you are using are potentially vulnerable (see Section
III), we encourage you to take one of the following steps. If the setuid
or setgid bits are not enabled on any of the tools in your distribution,
you do not need to take any of the steps listed below.

<P>For distributions that were built directly from the source code supplied
by The Open Group (and previously by the X Consortium), we encourage you
to apply either Solutions A or C. For vendor-supplied distributions, we
encourage you to apply either Solutions B or C.
<BR>
<H3>A. Upgrade to X11 Release 6.3</H3>
If you download and build your own distributions directly from the source
code, we encourage you to install the latest version, X11 Release 6.3.
The source code can be obtained from
<BR>
<UL><A HREF="ftp://ftp.x.org/pub/R6.3/tars/xc-1.tar.gz">ftp://ftp.x.org/pub/R6.3/tars/xc-1.tar.gz</A>
<BR><A HREF="ftp://ftp.x.org/pub/R6.3/tars/xc-2.tar.gz">ftp://ftp.x.org/pub/R6.3/tars/xc-2.tar.gz</A>
<BR><A HREF="ftp://ftp.x.org/pub/R6.3/tars/xc-3.tar.gz">ftp://ftp.x.org/pub/R6.3/tars/xc-3.tar.gz</A></UL>
Note that these distributions are very large. The compressed files consume
about 40M of disk space. The uncompressed tar files consume about 150M
of disk space.
<BR>
<H3>B. Install a patch from your vendor</H3>
Below is a list of vendors who have provided information about this problem.
Details are in Appendix A of this advisory; we will update the appendix
as we receive more information. If your vendor's name is not on this list,
the CERT/CC did not hear from that vendor. Please contact your vendor directly.

<P>Berkeley Software Design, Inc. (BSDI)
<BR>Data General Corporation
<BR>Digital Equipment Corporation (DEC)
<BR>FreeBSD, Inc.
<BR>Hewlett-Packard Company
<BR>IBM Corporation
<BR>NEC Corporation
<BR>NeXT Software, Inc.
<BR>The Open Group (formerly OSF/X Consortium)
<BR>The Santa Cruz Operation, Inc. (SCO)
<BR>Silicon Graphics, Inc.
<BR>Sun Microsystems, Inc.
<BR>
<H3>C. Remove the setuid bit from affected programs</H3>
If you are unable to apply Solutions A or B, then as a last resort we recommend
removing the setuid or setgid bits from the executable files in your distribution
of X.

<P>Note that this may have an adverse effect on some system operations.
For instance, on some systems the xlock program needs to have the setuid
bit enabled so that the shadow password file can be read to unlock the
screen. By removing the setuid bit from this program, you remove the ability
of the xlock program to read the shadow password file. This means that
particular version of the xlock program should not be used at all, or it
should be killed from another terminal when necessary.
<BR>
<BR>
<HR>
<H2>Appendix A - Vendor Information</H2>
Below is a list of the vendors who have provided information for this advisory.
We will update this appendix as we receive additional information. If you
do not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact the vendor directly.
<H3>Berkeley Software Design, Inc. (BSDI)</H3>
We released a patch for this for the 2.1 BSD/OS release,
<BR>and it's already fixed in our current release.
<H3>Data General Corporation</H3>

<P>All versions of DG/UX are vulnerable.
<BR>

<P>Patches for this vulnerability are in progress.



<H3>Digital Equipment Corporation (DEC)</H3>
At the time of writing this document, patches(binary kits) are in progress
and final testing is expected to begin soon. Digital will provide notice
of the completion/availability of the patches through AES services (DIA,
DSNlink FLASH) and be available from your normal Digital Support channel.
<H3>FreeBSD, Inc.</H3>
We're aware of the problem and are trying to correct it with a new release
of the Xt library.
<H3>Hewlett-Packard Company</H3>
HPSBUX9704-058
<BR>Description: Security Vulnerability in libXt for HP-UX 9.X &amp; 10.X
<BR>HEWLETT-PACKARD SECURITY BULLETIN: #00058 libXt

<P>Security Bulletins are available from the HP Electronic
<BR>Support Center via electronic mail.

<P>Use your browser to get to the HP Electronic Support
<BR>Center page at:

<P><A HREF="http://us-support.external.hp.com">http://us-support.external.hp.com</A>
(for US, Canada, Asia-Pacific, &amp; Latin-America)

<P><A HREF="http://europe-support.external.hp.com">http://europe-support.external.hp.com</A>
(for Europe)
<H3>IBM Corporation</H3>
See the appropriate release below to determine your action.
<H4>AIX 3.2</H4>
Apply the following fix to your system:
<BR>APAR - IX61784,IX67047,IX66713 (PTF - U445908,U447740)

<P>To determine if you have this PTF on your system, run the following
command:
<BR>lslpp -lB U445908 U447740
<H4>AIX 4.1</H4>
Apply the following fix to your system:
<BR>APAR - IX61031 IX66736 IX66449

<P>To determine if you have this APAR on your system, run the following
command:

<P>instfix -ik IX61031 IX66736 IX66449

<P>Or run the following command:

<P>lslpp -h X11.base.lib

<P>Your version of X11.base.lib should be 4.1.5.2 or later.
<H4>AIX 4.2</H4>
Apply the following fix to your system:

<P>APAR - IX66824 IX66352

<P>To determine if you have this APAR on your system, run the following
command:

<P>instfix -ik IX66824 IX66352

<P>Or run the following command:

<P>lslpp -h X11.base.lib

<P>Your version of X11.base.lib should be 4.2.1.0 or later.
<H4>To Order</H4>
APARs may be ordered using Electronic Fix Distribution (via FixDist) or
from the IBM Support Center. For more information on FixDist, reference
URL:

<P><A HREF="http://service.software.ibm.com/aixsupport/">http://service.software.ibm.com/aixsupport/</A>

<P>or send e-mail to <A HREF="mailto:aixserv@austin.ibm.com">aixserv@austin.ibm.com</A>
with a subject of "FixDist".

<P>IBM and AIX are registered trademarks of International Business Machines
Corporation.
<H3>NEC Corporation</H3>

<TABLE BORDER=0 COLS=2 NOSAVE >
<TR>
<TD>EWS-UX/V(Rel4.2) R7.x - R10.x</TD>

<TD>vulnerable</TD>
</TR>

<TR>
<TD>EWS-UX/V(Rel4.2MP) R10.x</TD>

<TD>vulnerable</TD>
</TR>

<TR>
<TD>UP-UX/V(Rel4.2MP) R5.x - R7.x</TD>

<TD>vulnerable</TD>
</TR>

<TR>
<TD>UX/4800 R11.x - current</TD>

<TD>vulnerable</TD>
</TR>
</TABLE>


<P>Patches for this vulnerability are in progress.
<BR>For further information, please contact by e-mail:

<P><A HREF="mailto:UX48-security-support@nec.co.jp">UX48-security-support@nec.co.jp</A>
<H3>NeXT Software, Inc.</H3>
X-Windows is not part of any NextStep or OpenStep release. We are not vulnerable
to this problem.
<H3>The Open Group (formerly OSF/X Consortium)</H3>
Not vulnerable.
<H3>The Santa Cruz Operation, Inc. (SCO)</H3>
We are investigating this problem and will provide updated
<BR>information for this advisory when it becomes available.

<H3>Silicon Graphics, Inc.</H3>

Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED
that these measures be implemented on ALL SGI systems.  This issue will
be corrected in future releases of IRIX.

<P>For further information, please refer to Silicon Graphics
Inc. Security Advisory Number: 19971101-01-PX, "libXt Security Issues."

<P>The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Security information and patches can be found
in the ~ftp/security and ~ftp/patches directories, respectfully.

<P>
<H3>Sun Microsystems, Inc.</H3>
Bulletin Number: #00153
<BR>Date: August 25, 1997
<BR>Title: Vulnerabilities in libXt
<BR>Vulnerable: SunOS versions 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86,
5.3, 4.1.4, and 4.1.3_U1
<BR>The vulnerabilities are fixed in Solaris 2.6.

<P>Patches are available to all Sun customers via World Wide Web at:

<P><A HREF="ftp://sunsolve1.sun.com/pub/patches/patches.html>">ftp://sunsolve1.sun.com/pub/patches/patches.html</A>;

<P>Customers with Sun support contracts can also obtain patches from local
Sun answer centers and SunSITEs worldwide.

<P>Sun security bulletins are available via World Wide Web at:

<P><A HREF="http://sunsolve1.sun.com/sunsolve/secbulletins>">http://sunsolve1.sun.com/sunsolve/secbulletins</A>

<P><HR>

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Jan. 5, 1998  Added vendor information for Silicon Graphics, Inc.
Dec. 11, 1997 Appendix A - updated vendor information for Data General Corporation.
Sep. 26, 1997 Updated copyright statement
Aug. 27, 1997 Appendix A - updated vendor information for Sun Microsystems,Inc.
May 8, 1997   Appendix A - updated vendor information for Hewlett-Packard.
</PRE>