CERT
search  


 
Historical Documents Authorized Users of "CERT" Vulnerability Notes Database Vulnerability Disclosure Policy Courses Link to US-CERT cylab
 

CERT® Advisory CA-1993-17 xterm Logging Vulnerability

Original issue date: November 11, 1993
Last revised: September 19, 1997
Attached copyright statement

A complete revision history is at the end of this file.

The CERT Coordination Center is working on eliminating a vulnerability in xterm. This vulnerability potentially affects all systems running xterm with the setuid or setgid bit set. This vulnerability has been found in X Version 11, Release 5 (X11R5) and earlier versions of X11.

CERT is working with the vendor community to address this vulnerability.

I. Description

A vulnerability in the logging function of xterm exists in many versions of xterm that operate as a setuid or setgid process. The vulnerability allows local users to create files or modify any existing files.

If the setuid or setgid privilege bit is not set on the xterm program, the vulnerability cannot be exploited.

It is possible that the xterm on your system does not allow logging. In this case, the vulnerability cannot be exploited. To determine if logging is enabled, run xterm with the "-l" option. If an "XtermLog.axxxx" file is created in the current directory, xterm supports logging. You can also check the output of "xterm -help" to see whether the "-l" option is described as "not supported".

Another way to determine if logging is available is to look for the "Log to File" item in the Main Options menu (press Control mouse button 1). If the X Consortium's public patch has been installed as distributed, the option "Log to File" should not appear in the menu.

II. Impact

This vulnerability allows anyone with access to a user account to gain root access.

III. Solutions

All of the following solutions require that a new version of xterm be installed. When installing the new xterm, it is important either to remove the old version of xterm or to clear the setuid and setgid bits from the old xterm.

CERT suggests one of the following solutions.

  1. Install vendor supplied patch if available. CERT is hopeful that patches will be forthcoming. We will be maintaining a status file, xterm-patch-status, and we will add patch availability information to this file as it becomes known. The file is available from:

    http://www.cert.org/advisories/CA-1993-17/patch-status.txt

    For more up-to-date information, contact the vendor.

  2. If your site is using the X Consortium's X11R5, install the public patch #26. This patch is available via anonymous FTP from ftp.x.org as the file /pub/R5/fixes/fix-26. Install all patch files up to and including fix-26.

    By default, the patch disables logging. If you choose to enable logging, a variation of the vulnerability still exists.

    Checksum information: 

         BSD Unix Sum:  19609 47

     System V Sum:  51212 94

     MD5 Checksum:  e270560b6e497a0a71881d4ff4db8c05

  3. If your site is using an earlier version of the X Consortium's X11, upgrade to X11R5. Install all patches up to and including fix-26.

  4. If you are unable to upgrade to the X Consortium's X11R5, modify the xterm source code to remove the logging feature. Familiarity with X11 and its installation and configuration is recommended before implementing these modifications.

The CERT Coordination Center wishes to thank Stephen Gildea of the X Consortium for his assistance in responding to this problem.
This document is available from: http://www.cert.org/advisories/CA-1993-17.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1993 Carnegie Mellon University.

Revision History 
September 19,1997  Attached Copyright Statement