NASIRC BULLETIN #93-08 November 30, 1993 xterm Logfile Vulnerability =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== NASIRC has learned of a vulnerability in the logging features of xterm. Local users may use the xterm logfile facility to create or modify files on the system, enabling unauthorized access including root access. This vulnerability has been shown to exist in X11 (Version 5 and earlier) in both vendor supplied binaries and those compiled from the public X11 sources. The vulnerability exists on systems with xterm installed with setuid or setgid privileges. For example, the "s" permission bit in the following directory listing indicates the xterm binary is installed with the setuid bit set: % ls -l /opt/X11R5/bin/xterm -rwsr-xr-x 1 root staff 183152 Nov 10 13:10 /opt/X11R5/bin/xterm* Additionally, the vulnerability only exists in xterm binaries that permit logging. To determine if this feature is enabled run xterm with the "-l" option. This can be accomplished by executing the following command: % xterm -l If a file of the form "XtermLog.axxxx" is created, logging is enabled. Another method to determine logging status is to check for the "Log to File" item in the Main Options menu. If X Consortium's public patch is installed, the option "Log to File" should not appear in the menu. NASIRC has learned that other incident reponse organization recommended the implementation of the solutions contained below. However, NASIRC has learned that these recommended solutions may cause additional problems not previously identified. Therefore, NASIRC is releasing this bulletin to serve as notification of a problem with the xterm logging function. As of this posting NASIRC does not have a total solution to this problem. If, upon implementation and further research, you identify a solution that does not create further vulnerabilities please notify NASIRC so we may distribute this corrective information to others. RECOMMENDED SOLUTIONS: To effectively implement these solutions old versions of xterm must either be removed from the system or have the setuid and setgid bits cleared. Vendor Patch For those systems running a version of xterm other than X11 contact your For up-to-date patch information, please contact your vendor or NASIRC. X11R5 Public Systems using the public X11 distribution and systems lacking Patch #26 vendor patches may upgrade to the X Consortium's X11R5 Patch Level 26. The X11 sources and patches are available via anonymous FTP from nasirc.hq.nasa.gov. All patches, up to and including fix-26, should be installed. By default, fix-26 disables the logfile facility in xterm. Similar functionality may be obtained through the use of utilities such as the UNIX script(1) command. If you are unable to upgrade to the X Consortium X11R5, modify the xterm source code to remove the logging feature. Security checklists, toolkits and guidance are available from the NASIRC online archives. Contact the NASIRC Helpdesk. For more information and assistance with toolkits or security measures. NASIRC ACKNOWLEDGES: CERT, CIAC and Stephen Gildea of the X Consortium for their contribution to this bulletin. ================================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-306-1010 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866 ================================================================== This bulletin may be forwarded without restrictions to sites and system administrators within the NASA community ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organization which provides for coordination between incident response teams in handling computer-security-related issues. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Addendum to NASIRC Bulletin 93-08 The following is vendor-supplied information. NASIRC will not formally review, evaluate, or endorse this information. For more up-to-date information, contact your vendor. It is important to note that the vendor of your xterm may not be the same as the vendor of your platform. You should take care to correctly identify the vendor whose xterm you are using, so you can take the appropriate action. Convex Fixed in CXwindows V3.1. Fixed in CXwindows V3.0 with TAC patch V3.0.131 applied. The Convex Technical Assistance Center is available for additional information at 800-952-0379. Cray Fixed. Contact Cray for version/patch numbers. DEC/OSF Attached is the information on the remedial images to address the xterm issue for ULTRIX V4.3 (VAX & RISC) and OSF/1 V1.2. The solutions have been included in ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3. Customers may call their normal Digital Multivendor Customer Services Support Channel to obtain this kit. ---------------------------------------------------------- *ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation. ALL RIGHTS RESERVED. COMPONENT: xterm OP/SYS: ULTRIX VAX and RISC, OSF/1 SOURCE: Digital Customer Support Center ECO INFORMATION: CSCPAT Kit: CSCPAT_4034 V1.1 CSCPAT Kit Size: 2152 blocks Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231, SSRT93-E-232 Kit Applies To: ULTRIX V4.3, OSF/1 V1.2 System Reboot Required: NO ---------------------------------------------------------- SCO The current releases listed below are not vulnerable to this problem. No xterm logging or scoterm logging is provided: SCO Open Desktop Lite, Release 3.0 SCO Open Desktop, Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 Contact SCO for any further information. Sequent Fixed. Contact Sequent for version/patch numbers. Sun Sun's version of xterm has not been setuid root since at least as far back as SunOS 4.1.1, and probably further. An xterm that does not run setuid or setgid is not vulnerable to the xterm logging problem. CAUTION: A Sun patch was issued on December 6, 1992 to give system administrators the option of running xterm setuid root. Installing this patch will introduce the xterm logging vulnerability. So check your xterm. If either the setuid or setgid privilege bit is set on the xterm program, the vulnerability can be exploited. Contact Sun for further information. X.org (Publicly distributed version of X.) You can patch X11R5 by applying all patches up to and including fix-26. See the associated NASIRC Bulletin #93-07 for further information.