home *** CD-ROM | disk | FTP | other *** search
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- =============================================================================
- CA-93:17 CERT Advisory
- November 11, 1993
- xterm Logging Vulnerability
- - -----------------------------------------------------------------------------
-
- The CERT Coordination Center is working on eliminating a vulnerability in
- xterm. This vulnerability potentially affects all systems running xterm
- with the setuid or setgid bit set. This vulnerability has been found in
- X Version 11, Release 5 (X11R5) and earlier versions of X11.
-
- CERT is working with the vendor community to address this vulnerability.
-
- - -----------------------------------------------------------------------------
-
- I. Description
-
- A vulnerability in the logging function of xterm exists in many
- versions of xterm that operate as a setuid or setgid process. The
- vulnerability allows local users to create files or modify any
- existing files.
-
- If the setuid or setgid privilege bit is not set on the xterm program,
- the vulnerability cannot be exploited.
-
- It is possible that the xterm on your system does not allow
- logging. In this case, the vulnerability cannot be exploited. To
- determine if logging is enabled, run xterm with the "-l" option. If
- an "XtermLog.axxxx" file is created in the current directory, xterm
- supports logging. You can also check the output of "xterm -help"
- to see whether the "-l" option is described as "not supported".
-
- Another way to determine if logging is available is to look for
- the "Log to File" item in the Main Options menu (press Control mouse
- button 1). If the X Consortium's public patch has been installed
- as distributed, the option "Log to File" should not appear in the
- menu.
-
-
- II. Impact
-
- This vulnerability allows anyone with access to a user account
- to gain root access.
-
-
- III. Solutions
-
- All of the following solutions require that a new version of xterm be
- installed. When installing the new xterm, it is important either to
- remove the old version of xterm or to clear the setuid and setgid
- bits from the old xterm.
-
- CERT suggests one of the following solutions.
-
- A. Install vendor supplied patch if available. CERT is hopeful
- that patches will be forthcoming. We will be maintaining a
- status file, xterm-patch-status, and we will add patch availability
- information to this file as it becomes known. The file is
- available via anonymous FTP from info.cert.org. The name of
- the file is pub/cert_advisories/xterm-patch-status. A current
- version of this file is appended to this Advisory.
-
- For more up-to-date information, contact the vendor.
-
- B. If your site is using the X Consortium's X11R5, install the
- public patch #26. This patch is available via anonymous FTP
- from ftp.x.org as the file /pub/R5/fixes/fix-26. Install all
- patch files up to and including fix-26.
-
- By default, the patch disables logging. If you choose to enable
- logging, a variation of the vulnerability still exists.
-
- Checksum information:
-
- BSD Unix Sum: 19609 47
-
- System V Sum: 51212 94
-
- MD5 Checksum: e270560b6e497a0a71881d4ff4db8c05
-
- C. If your site is using an earlier version of the X Consortium's X11,
- upgrade to X11R5. Install all patches up to and including fix-26.
-
- D. If you are unable to upgrade to the X Consortium's X11R5, modify
- the xterm source code to remove the logging feature. Familiarity
- with X11 and its installation and configuration is recommended
- before implementing these modifications.
-
- - ---------------------------------------------------------------------------
- The CERT Coordination Center wishes to thank Stephen Gildea of the
- X Consortium for his assistance in responding to this problem.
- - ---------------------------------------------------------------------------
-
- If you believe that your system has been compromised, contact the CERT
- Coordination Center or your representative in Forum of Incident
- Response and Security Teams (FIRST).
-
- Internet E-mail: cert@cert.org
- Telephone: 412-268-7090 (24-hour hotline)
- CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
- and are on call for emergencies during other hours.
-
- CERT Coordination Center
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh, PA 15213-3890
-
- Past advisories, information about FIRST representatives, and other
- information related to computer security are available for anonymous
- FTP from info.cert.org.
-
- ^L
-
-
- CERT Coordination Center
- xterm Vendor Status
- November 11, 1993
-
-
- This file is a supplement to the CERT Advisory CA-93:17 of November 11, 1993,
- and will be updated as additional information becomes available.
-
- The following is vendor-supplied information. The CERT Coordination Center
- will not formally review, evaluate, or endorse this information. For more
- up-to-date information, contact your vendor.
-
- It is important to note that the vendor of your xterm may not be the same
- as the vendor of your platform. You should take care to correctly identify
- the vendor whose xterm you are using, so you can take the appropriate action.
-
-
-
- Convex Fixed in CXwindows V3.1. Fixed in CXwindows V3.0
- with TAC patch V3.0.131 applied. The Convex Technical
- Assistance Center is available for additional information
- at 800-952-0379.
-
- Cray Fixed. Contact Cray for version/patch numbers.
-
- DEC/OSF Attached is the information on the remedial images to
- address the xterm issue for ULTRIX V4.3 (VAX & RISC)
- and OSF/1 V1.2. The solutions have been included in
- ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3.
-
- Customers may call their normal Digital Multivendor
- Customer Services Support Channel to obtain this kit.
-
- ----------------------------------------------------------
- *ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary
-
-
- COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation.
- ALL RIGHTS RESERVED.
-
- COMPONENT: xterm
-
- OP/SYS: ULTRIX VAX and RISC, OSF/1
-
- SOURCE: Digital Customer Support Center
-
- ECO INFORMATION:
-
- CSCPAT Kit: CSCPAT_4034 V1.1
- CSCPAT Kit Size: 2152 blocks
- Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231,
- SSRT93-E-232
- Kit Applies To: ULTRIX V4.3, OSF/1 V1.2
- System Reboot Required: NO
- ----------------------------------------------------------
-
- SCO The current releases listed below are not vulnerable to
- this problem. No xterm logging or scoterm logging is
- provided:
-
- SCO Open Desktop Lite, Release 3.0
- SCO Open Desktop, Release 3.0
- SCO Open Server Network System, Release 3.0
- SCO Open Server Enterprise System, Release 3.0
-
- Contact SCO for any further information.
-
- Sequent Fixed. Contact Sequent for version/patch numbers.
-
- Sun Sun's version of xterm has not been setuid root since at
- least as far back as SunOS 4.1.1, and probably further.
- An xterm that does not run setuid or setgid is not
- vulnerable to the xterm logging problem.
-
- CAUTION: A Sun patch was issued on December 6, 1992 to give
- system administrators the option of running xterm setuid
- root. Installing this patch will introduce the xterm
- logging vulnerability. So check your xterm. If either
- the setuid or setgid privilege bit is set on the xterm
- program, the vulnerability can be exploited. Contact
- Sun for further information.
-
- X.org (Publicly distributed version of X.) You can patch X11R5
- by applying all patches up to and including fix-26. See
- the associated CERT Advisory (CA-93:17) for further
- information.
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2
-
- iQCVAwUBMaMxV3VP+x0t4w7BAQFawwP+JvcrKCW/OJhBHWGwWEq7ynUS3+OHezfO
- O8OGIk0ceZNUEFozrZ9f/RvXdS25mBOOziITDsAvmPxTxk2hW827UpKe1wtwzI4E
- FLlTnjPZplY2CRkMepba7pegVXn4Ggy8FBjdBy/lb5WhtupdzabEBZdE8y/ecXPU
- DGm2YNiETIQ=
- =l7eG
- -----END PGP SIGNATURE-----
-
-