From: Pete Hammes (11/17/93) To: assist-bulletin@assist.ims.disa, Mail*Link¨ SMTP ASSIST bulletin 93-30 -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICozCCAgwCAQ8wDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzA5MDExN DU3NDFaFw05MzEyMTAxNDU3NDFaMIGxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFDASBgNVBAMTC1Bld GUgSGFtbWVzMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDCgMkKVE04zogQU+Y/u 9XDNBempvY7gQDGwnFQp8Htv1pdn/GpVQmMshXVARhspGNsBy2+oOJoxgIIZeDtF /MhUeyZDAoVIvi+2uagxto5eb+T/jteVqplHen6BiwPnchvKuGCyPuT0+Q7bBsJG prQwqTSJoZvozE7CNk1XV0J7wIBAzANBgkqhkiG9w0BAQIFAAOBgQCZ0AezFPQMJ NssuHMKiuq63lu9vWs5jvJ1a201z+oeUX7FkFwIRSy/RDKaLILn+v501BeoWacae GA3LS/13Y6zdP91J3RDDkj4fy9dlDOf0C1h9g6T3QVX1xZvAdJ/V6Ck9DYGvAWvf sOT8lzEQ8OfaGFgge4olbhYpCTMgId5cA== Issuer-Certificate: MIICNTCCAZ4CAQwwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDYwODE1MDQyMFoXDTkzMDkxNjE1MDQyMFowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEAyVsZykgjUfAv4FnMwuz4b+s16PHAHUwMg 2lxLTMwm1TmyLSXL0g1iVRVSelXYYzBPjUx2rlG3ofYu7+xsWxs2HdBArV1dg7uF vkAZnAkVNU86aMcE0tq3vflzwDq8/a9mAFRpE8HJU4//+qTFgojAMOJGo83jtMuZ E7kwd2rjRk= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,DdpupjlFi8mVP2A3zW64OG/Hqvz1NlF/s5pLyxbhMvJ JLOQTWHqLW9nwIBpfIPURZHOBDPSJktsmULBrRIDKpHY0Ob/tTRdsiod7+ZEsD55 eluuHZW3NmojvU0Bhp7pKBQthRW9Vg9MCy7bQ4abdFWB76BAxHQHDP0JEBSxweIY = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 93-30 Release date: 17 November 1993, 1:00 PM EDT Subject: xterm Logging Vulnerability BACKGROUND: A vulnerability in the logging function of xterm exists in many versions of xterm that operate as a setuid or setgid process. The vulnerability allows local users to create files or modify any existing files. If the setuid or setgid privilege bit is not set on the xterm program, the vulnerability cannot be exploited. For example, the "s" permission bit in the following directory listing indicates the xterm binary is installed with the setuid bit set: % ls -l /opt/X11R5/bin/xterm - -rwsr-xr-x 1 root staff 183152 Nov 10 13:10 /opt/X11R5/bin/xterm* It is possible that the xterm on your system does not allow logging, which would also prevent the vulnerability from being exploited. To determine if logging is enabled, run xterm with the "-l" option. If an "XtermLog.axxxx" file is created in the current directory, xterm supports logging. You can also check the output of "xterm -help" to see whether the "-l" option is described as "not supported". Another way to determine if logging is available is to look for the "Log to File" item in the Main Options menu (press Control mouse button 1). If the X Consortium's public patch has been installed as distributed, the option "Log to File" should not appear in the menu. IMPACT: This vulnerability allows anyone with access to a user account to gain root access. RECOMMENDED SOLUTIONS: All of the following solutions require that a new version of xterm be installed. When installing the new xterm, it is important either to remove the old version of xterm or to clear the setuid and setgid bits from the old xterm. Solution A: Install vendor supplied patch if available. To find out if a patch is available for your system, contact your vendor or download the xterm-patch-status file via anonymous ftp from info.cert.org (192.88.209.5). The file can be found in the pub/cert_advisories directory, and the current version can be found in the next section of this bulletin. Solution B: If your site is using the X Consortium's X11R5, install the public patch #26. This patch is available via anonymous FTP from ftp.x.org (IP 192.88.209.5) as the file /pub/R5/fixes/fix-26. Install all patch patch files up to and including fix-26. By default, the patch disables logging. If you choose to enable logging, a variation of the vulnerability still exists. Checksum information: BSD Unix Sum: 19609 47 System V Sum: 51212 94 MD5 Checksum: e270560b6e497a0a71881d4ff4db8c05 Solution C: If your site is using an earlier version of the X Consortium's X11, upgrade to X11R5. Install all patches up to and including fix-26. Solution D: If you are unable to upgrade to the X Consortium's X11R5, modify the xterm source code to remove the logging feature. Familiarity with X11 and its installation and configuration is recommended before implementing these modifications. XTERM-PATCH-STATUS file: Following is information from the xterm-patch-status file referenced in Solution A of this bulletin. It is important to note that the vendor of your xterm may not be the same as the vendor of your platform. You should take care to correctly identify the vendor whose xterm you are using, so you can take the appropriate action. Convex Fixed in CXwindows V3.1. Fixed in CXwindows V3.0 with TAC patch V3.0.131 applied. The Convex Technical Assistance Center is available for additional information at 800-952-0379. Cray Fixed. Contact Cray for version/patch numbers. DEC/OSF Attached is the information on the remedial images to address the xterm issue for ULTRIX V4.3 (VAX & RISC) and OSF/1 V1.2. The solutions have been included in ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3. Customers may call their normal Digital Multivendor Customer Services Support Channel to obtain this kit. ---------------------------------------------------------- *ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation. ALL RIGHTS RESERVED. COMPONENT: xterm OP/SYS: ULTRIX VAX and RISC, OSF/1 SOURCE: Digital Customer Support Center ECO INFORMATION: CSCPAT Kit: CSCPAT_4034 V1.1 CSCPAT Kit Size: 2152 blocks Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231, SSRT93-E-232 Kit Applies To: ULTRIX V4.3, OSF/1 V1.2 System Reboot Required: NO ---------------------------------------------------------- SCO The current releases listed below are not vulnerable to this problem. No xterm logging or scoterm logging is provided: SCO Open Desktop Lite, Release 3.0 SCO Open Desktop, Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 Contact SCO for any further information. Sequent Fixed. Contact Sequent for version/patch numbers. Sun Sun's version of xterm has not been setuid root since at least as far back as SunOS 4.1.1, and probably further. An xterm that does not run setuid or setgid is not vulnerable to the xterm logging problem. CAUTION: A Sun patch was issued on December 6, 1992 to give system administrators the option of running xterm setuid root. Installing this patch will introduce the xterm logging vulnerability. So check your xterm. If either the setuid or setgid privilege bit is set on the xterm program, the vulnerability can be exploited. Contact Sun for further information. X.org (Publicly distributed version of X.) You can patch X11R5 by applying all patches up to and including fix-26. See the associated CERT Advisory (CA-93:17) for further information. ASSIST would like to thank the CERT Coordination Center and the X Consortium for information about this problem contained in this bulletin. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. -----END PRIVACY-ENHANCED MESSAGE----- ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;17 Nov 1993 10:11:27 -0800 Return-path: pch@assist.ims.disa.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H5F2M5LM80BSJ3FR@icdc.llnl.gov>; Wed, 17 Nov 1993 10:10:55 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H5F2LHEN3KBSJ2UE@icdc.llnl.gov>; Wed, 17 Nov 1993 10:10:27 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA24036; Wed, 17 Nov 93 10:11:16 PST Received: from cheetah.llnl.gov by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA24027; Wed, 17 Nov 93 10:11:06 PST Received: from pierce.llnl.gov (pierce.llnl.gov [128.115.18.253]) by cheetah.llnl.gov (8.6.4/8.6.4) with SMTP id KAA09028 for ; Wed, 17 Nov 1993 10:09:47 -0800 Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA24023; Wed, 17 Nov 93 10:10:51 PST Received: from assist.ims.disa.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA23817; Wed, 17 Nov 93 10:07:40 PST Received: from shilo.ims.disa.mil by assist.ims.disa.mil (4.1/2.4) id AA00824; Wed, 17 Nov 93 13:03:36 EST Received: by shilo.ims.disa.mil (4.1/2.4) id AA01521; Wed, 17 Nov 93 13:03:12 EST Date: 17 Nov 1993 13:02:54 -0500 From: Pete Hammes Subject: ASSIST bulletin 93-30 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: assist-bulletin@assist.ims.disa.MIL Resent-message-id: <01H5F2M5OKBMBSJ3FR@icdc.llnl.gov> Message-id: <9311171803.AA01521@shilo.ims.disa.mil> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"assist-bulletin@assist.ims.disa.MIL" Content-transfer-encoding: 7BIT ======================================================================