Privacy and Legal Notice
INFORMATION BULLETIN
E-04: xterm Logfile Vulnerability
November 11, 1993 2130 PST
PROBLEM: The logfile facility of the xterm program contains a security
vulnerability.
PLATFORM: UNIX systems with X11 software and xterm installed with setuid or
setgid privileges.
DAMAGE: Local users may gain root access to the system.
SOLUTION: Install a patched version of xterm.
Critical Information about the xterm Logfile Vulnerability
CIAC has learned of a vulnerability in many versions of the X11 program xterm.
Local users may use the xterm logfile facility to create or modify files on
the system, enabling unauthorized access including root access. This
vulnerability has been shown to exist in X11 (Version 5 and earlier) in both
vendor supplied binaries and those compiled from the public X11 sources.
The vulnerability exists only on systems with xterm installed with setuid or
setgid privileges. For example, the "s" permission bit in the following
directory listing indicates the xterm binary is installed with the setuid bit
set:
% ls -l /opt/X11R5/bin/xterm
-rwsr-xr-x 1 root staff 183152 Nov 10 13:10 /opt/X11R5/bin/xterm*
Additionally, the vulnerability only exists in xterm binaries that permit
logging. To determine if this feature is enabled, execute the following
command:
% xterm -l
If a file of the form "XtermLog.axxxx" is created, logging is enabled.
CIAC recommends that affected sites implement one of the solutions described
below. All solutions require that a new version of xterm be installed. It is
important that old versions either be removed from the system or have the
setuid and setgid bits cleared.
- Vendor Patch
- Vendor patches, if available, should be installed. The CERT
Coordination Center is coordinating the vendor response to this
issue and will maintain a list of currently available vendor
patches for xterm. The information will be available via
anonymous FTP from info.cert.org (IP 192.88.209.5) in the file
/pub/cert_advisories/xterm-patch-status. A current version of
this file is appended at the end of this bulletin.
For up-to-date patch information, please contact your vendor
or CIAC.
- X11R5 Public Patch #26
- Systems using the public X11 distribution and systems lacking
vendor patches may upgrade to the X Consortium's X11R5 Patch
Level 26. The X11 sources and patches are available via
anonymous FTP from ftp.x.org (IP 198.112.44.100). All patches,
up to and including fix-26, should be installed.
By default, fix-26 disables the logfile facility in xterm.
Similar functionality may be obtained through the use of
utilities such as the UNIX script(1) command.
CIAC wishes to thank the CERT Coordination Center and Stephen Gildea of the
X Consortium for their contributions to this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]