_____________________________________________________
                        The U.S. Department of Energy
                    Computer Incident Advisory Capability
                             ___  __ __    _     ___
                            /       |     / \   /
                            \___  __|__  /___\  \___
             _____________________________________________________

                              INFORMATION BULLETIN

                           xterm Logfile Vulnerability

November 11, 1993 2130 PST                                         Number E-04
______________________________________________________________________________
PROBLEM:   The logfile facility of the xterm program contains a security
           vulnerability.
PLATFORM:  UNIX systems with X11 software and xterm installed with setuid or
           setgid privileges.
DAMAGE:    Local users may gain root access to the system.
SOLUTION:  Install a patched version of xterm.
______________________________________________________________________________

           Critical Information about the xterm Logfile Vulnerability


CIAC has learned of a vulnerability in many versions of the X11 program xterm.
Local users may use the xterm logfile facility to create or modify files on
the system, enabling unauthorized access including root access.  This
vulnerability has been shown to exist in X11 (Version 5 and earlier) in both
vendor supplied binaries and those compiled from the public X11 sources.

The vulnerability exists only on systems with xterm installed with setuid or
setgid privileges.  For example, the "s" permission bit in the following
directory listing indicates the xterm binary is installed with the setuid bit
set:

   % ls -l /opt/X11R5/bin/xterm 
   -rwsr-xr-x  1 root  staff  183152 Nov 10 13:10 /opt/X11R5/bin/xterm*

Additionally, the vulnerability only exists in xterm binaries that permit
logging.  To determine if this feature is enabled, execute the following
command:

   % xterm -l

If a file of the form "XtermLog.axxxx" is created, logging is enabled.

CIAC recommends that affected sites implement one of the solutions described
below.  All solutions require that a new version of xterm be installed.  It is
important that old versions either be removed from the system or have the
setuid and setgid bits cleared.


Vendor Patch   Vendor patches, if available, should be installed.  The CERT
               Coordination Center is coordinating the vendor response to this
               issue and will maintain a list of currently available vendor
               patches for xterm.  The information will be available via
               anonymous FTP from info.cert.org (IP 192.88.209.5) in the file
               /pub/cert_advisories/xterm-patch-status.  A current version of
               this file is appended at the end of this bulletin.

               For up-to-date patch information, please contact your vendor
               or CIAC.


X11R5 Public   Systems using the public X11 distribution and systems lacking
Patch #26      vendor patches may upgrade to the X Consortium's X11R5 Patch
               Level 26.  The X11 sources and patches are available via
               anonymous FTP from ftp.x.org (IP 198.112.44.100).  All patches,
               up to and including fix-26, should be installed.

               By default, fix-26 disables the logfile facility in xterm.
               Similar functionality may be obtained through the use of
               utilities such as the UNIX script(1) command.

______________________________________________________________________________
CIAC wishes to thank the CERT Coordination Center and Stephen Gildea of the
X Consortium for their contributions to this bulletin.
______________________________________________________________________________
For additional information or assistance, please contact CIAC at 
(510) 422-8193 or send E-mail to ciac@llnl.gov.  FAX messages to
(510) 423-8002.

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

                            CERT Coordination Center
                              xterm Vendor Status
                               November 11, 1993


This file is a supplement to the CERT Advisory CA-93:17 of November 11, 1993,
and will be updated as additional information becomes available.

The following is vendor-supplied information.  The CERT Coordination Center
will not formally review, evaluate, or endorse this information. For more
up-to-date information, contact your vendor. 

It is important to note that the vendor of your xterm may not be the same
as the vendor of your platform.  You should take care to correctly identify
the vendor whose xterm you are using, so you can take the appropriate action.  



  Convex     Fixed in CXwindows V3.1.  Fixed in CXwindows V3.0
       with TAC patch V3.0.131 applied.  The Convex Technical 
                   Assistance Center is available for additional information
                   at 800-952-0379.

  Cray       Fixed. Contact Cray for version/patch numbers.

        DEC/OSF    Attached is the information on the remedial images to
                   address the xterm issue for ULTRIX V4.3 (VAX & RISC) 
       and OSF/1 V1.2.   The solutions have been included in
       ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3. 

                   Customers may call their normal Digital Multivendor 
                   Customer Services Support Channel to obtain this kit.

                   ----------------------------------------------------------
                   *ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary


                   COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation.
                   ALL RIGHTS RESERVED.

                   COMPONENT:  xterm

                   OP/SYS:     ULTRIX VAX and RISC, OSF/1

                   SOURCE:     Digital Customer Support Center

                   ECO INFORMATION:

                   CSCPAT Kit:                  CSCPAT_4034 V1.1
                   CSCPAT Kit Size:             2152 blocks
                   Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231,
                                                SSRT93-E-232
                   Kit Applies To:              ULTRIX V4.3, OSF/1 V1.2
                   System Reboot Required:      NO
                   ----------------------------------------------------------

        SCO        The current releases listed below are not vulnerable to
                   this problem.  No xterm logging or scoterm logging is
                   provided:

                   SCO Open Desktop Lite, Release 3.0
                   SCO Open Desktop, Release 3.0
                   SCO Open Server Network System, Release 3.0
                   SCO Open Server Enterprise System, Release 3.0

                   Contact SCO for any further information.

  Sequent    Fixed. Contact Sequent for version/patch numbers.

  Sun        Sun's version of xterm has not been setuid root since at 
                   least as far back as SunOS 4.1.1, and probably further.  
                   An xterm that does not run setuid or setgid is not
                   vulnerable to the xterm logging problem.

                   CAUTION: A Sun patch was issued on December 6, 1992 to give 
                   system administrators the option of running xterm setuid 
                   root.  Installing this patch will introduce the xterm
                   logging vulnerability.  So check your xterm.  If either
                   the setuid or setgid privilege bit is set on the xterm
                   program, the vulnerability can be exploited.  Contact
                   Sun for further information.

  X.org      (Publicly distributed version of X.)  You can patch X11R5
       by applying all patches up to and including fix-26.  See
       the associated CERT Advisory (CA-93:17) for further 
                   information.

______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.