xterm Logging Vulnerability

Original issue date: November 11, 1993
Last revised: September 19, 1997
Attached copyright statement

A complete revision history is at the end of this file.

The CERT Coordination Center is working on eliminating a vulnerability in xterm. This vulnerability potentially affects all systems running xterm with the setuid or setgid bit set. This vulnerability has been found in X Version 11, Release 5 (X11R5) and earlier versions of X11.

CERT is working with the vendor community to address this vulnerability.


I. Description

A vulnerability in the logging function of xterm exists in many versions of xterm that operate as a setuid or setgid process. The vulnerability allows local users to create files or modify any existing files.

If the setuid or setgid privilege bit is not set on the xterm program, the vulnerability cannot be exploited.

It is possible that the xterm on your system does not allow logging. In this case, the vulnerability cannot be exploited. To determine if logging is enabled, run xterm with the "-l" option. If an "XtermLog.axxxx" file is created in the current directory, xterm supports logging. You can also check the output of "xterm -help" to see whether the "-l" option is described as "not supported".

Another way to determine if logging is available is to look for the "Log to File" item in the Main Options menu (press Control mouse button 1). If the X Consortium's public patch has been installed as distributed, the option "Log to File" should not appear in the menu.

II. Impact

This vulnerability allows anyone with access to a user account to gain root access.

III. Solutions

All of the following solutions require that a new version of xterm be installed. When installing the new xterm, it is important either to remove the old version of xterm or to clear the setuid and setgid bits from the old xterm.

CERT suggests one of the following solutions.

  1. Install vendor supplied patch if available. CERT is hopeful that patches will be forthcoming. We will be maintaining a status file, xterm-patch-status, and we will add patch availability information to this file as it becomes known. The file is available from:

    http://www.cert.org/advisories/CA-1993-17/patch-status.txt

    For more up-to-date information, contact the vendor.

  2. If your site is using the X Consortium's X11R5, install the public patch #26. This patch is available via anonymous FTP from ftp.x.org as the file /pub/R5/fixes/fix-26. Install all patch files up to and including fix-26.

    By default, the patch disables logging. If you choose to enable logging, a variation of the vulnerability still exists.

    Checksum information:

         BSD Unix Sum:  19609 47
         System V Sum:  51212 94
         MD5 Checksum:  e270560b6e497a0a71881d4ff4db8c05
    
  3. If your site is using an earlier version of the X Consortium's X11, upgrade to X11R5. Install all patches up to and including fix-26.

  4. If you are unable to upgrade to the X Consortium's X11R5, modify the xterm source code to remove the logging feature. Familiarity with X11 and its installation and configuration is recommended before implementing these modifications.


The CERT Coordination Center wishes to thank Stephen Gildea of the X Consortium for his assistance in responding to this problem.

Copyright 1993 Carnegie Mellon University.


Revision History
September 19,1997  Attached Copyright Statement