home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nasa9308.txt
< prev
next >
Wrap
Text File
|
1994-07-02
|
9KB
|
192 lines
NASIRC BULLETIN #93-08 November 30, 1993
xterm Logfile Vulnerability
===========================================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================================
NASIRC has learned of a vulnerability in the logging features of xterm.
Local users may use the xterm logfile facility to create or modify files
on the system, enabling unauthorized access including root access. This
vulnerability has been shown to exist in X11 (Version 5 and earlier) in
both vendor supplied binaries and those compiled from the public X11
sources.
The vulnerability exists on systems with xterm installed with setuid or
setgid privileges. For example, the "s" permission bit in the following
directory listing indicates the xterm binary is installed with the setuid
bit set:
% ls -l /opt/X11R5/bin/xterm
-rwsr-xr-x 1 root staff 183152 Nov 10 13:10 /opt/X11R5/bin/xterm*
Additionally, the vulnerability only exists in xterm binaries that permit
logging. To determine if this feature is enabled run xterm with the "-l"
option. This can be accomplished by executing the following command:
% xterm -l
If a file of the form "XtermLog.axxxx" is created, logging is enabled.
Another method to determine logging status is to check for the "Log to File"
item in the Main Options menu. If X Consortium's public patch is installed,
the option "Log to File" should not appear in the menu.
NASIRC has learned that other incident reponse organization recommended the
implementation of the solutions contained below. However, NASIRC has learned
that these recommended solutions may cause additional problems not previously
identified. Therefore, NASIRC is releasing this bulletin to serve as
notification of a problem with the xterm logging function. As of this posting
NASIRC does not have a total solution to this problem. If, upon
implementation and further research, you identify a solution that does not
create further vulnerabilities please notify NASIRC so we may distribute this
corrective information to others.
RECOMMENDED SOLUTIONS:
To effectively implement these solutions old versions of xterm must either be
removed from the system or have the setuid and setgid bits cleared.
Vendor Patch For those systems running a version of xterm other than X11
contact your
For up-to-date patch information, please contact your vendor
or NASIRC.
X11R5 Public Systems using the public X11 distribution and systems lacking
Patch #26 vendor patches may upgrade to the X Consortium's X11R5 Patch
Level 26. The X11 sources and patches are available via
anonymous FTP from nasirc.hq.nasa.gov. All patches,
up to and including fix-26, should be installed.
By default, fix-26 disables the logfile facility in xterm.
Similar functionality may be obtained through the use of
utilities such as the UNIX script(1) command.
If you are unable to upgrade to the X Consortium X11R5, modify the xterm
source code to remove the logging feature.
Security checklists, toolkits and guidance are available from the
NASIRC online archives. Contact the NASIRC Helpdesk. For more
information and assistance with toolkits or security measures.
NASIRC ACKNOWLEDGES: CERT, CIAC and Stephen Gildea of the X Consortium
for their contribution to this bulletin.
==================================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-306-1010
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866
==================================================================
This bulletin may be forwarded without restrictions to sites and
system administrators within the NASA community
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of Incident
Response and Security Teams (FIRST), a world-wide organization which
provides for coordination between incident response teams in handling
computer-security-related issues.
A list of FIRST member organizations and their constituencies can be
obtained by sending email to docserver@first.org with an empty subject
line and a message body containing the line: send first-contacts.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Addendum to NASIRC Bulletin 93-08
The following is vendor-supplied information. NASIRC will not formally
review, evaluate, or endorse this information. For more up-to-date
information, contact your vendor.
It is important to note that the vendor of your xterm may not be the same
as the vendor of your platform. You should take care to correctly identify
the vendor whose xterm you are using, so you can take the appropriate action.
Convex Fixed in CXwindows V3.1. Fixed in CXwindows V3.0
with TAC patch V3.0.131 applied. The Convex Technical
Assistance Center is available for additional information
at 800-952-0379.
Cray Fixed. Contact Cray for version/patch numbers.
DEC/OSF Attached is the information on the remedial images to
address the xterm issue for ULTRIX V4.3 (VAX & RISC)
and OSF/1 V1.2. The solutions have been included in
ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3.
Customers may call their normal Digital Multivendor
Customer Services Support Channel to obtain this kit.
----------------------------------------------------------
*ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary
COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation.
ALL RIGHTS RESERVED.
COMPONENT: xterm
OP/SYS: ULTRIX VAX and RISC, OSF/1
SOURCE: Digital Customer Support Center
ECO INFORMATION:
CSCPAT Kit: CSCPAT_4034 V1.1
CSCPAT Kit Size: 2152 blocks
Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231,
SSRT93-E-232
Kit Applies To: ULTRIX V4.3, OSF/1 V1.2
System Reboot Required: NO
----------------------------------------------------------
SCO The current releases listed below are not vulnerable to
this problem. No xterm logging or scoterm logging is
provided:
SCO Open Desktop Lite, Release 3.0
SCO Open Desktop, Release 3.0
SCO Open Server Network System, Release 3.0
SCO Open Server Enterprise System, Release 3.0
Contact SCO for any further information.
Sequent Fixed. Contact Sequent for version/patch numbers.
Sun Sun's version of xterm has not been setuid root since at
least as far back as SunOS 4.1.1, and probably further.
An xterm that does not run setuid or setgid is not
vulnerable to the xterm logging problem.
CAUTION: A Sun patch was issued on December 6, 1992 to give
system administrators the option of running xterm setuid
root. Installing this patch will introduce the xterm
logging vulnerability. So check your xterm. If either
the setuid or setgid privilege bit is set on the xterm
program, the vulnerability can be exploited. Contact
Sun for further information.
X.org (Publicly distributed version of X.) You can patch X11R5
by applying all patches up to and including fix-26. See
the associated NASIRC Bulletin #93-07 for further information.