[ SOURCE: http://www.secureroot.com/security/advisories/9641782303.html ]



             The Open Group X Project Team Security Advisory



        Title:   xterm and Xaw library vulnerability

        Date:    April 27, 1998

______________________________________________________________________________



The Open Group X Project Team provides this information freely to the X11 

user community for its consideration, interpretation, implementation and use.

The Open Group X Project Team recommends that this information be acted upon 

as soon as possible.



The Open Group X Project Team provides the information in this Security 

Advisory on an "AS-IS" basis only, and disclaims all warranties with respect 

thereto, express, implied or otherwise, including, without limitation, any 

warranty of merchantability or fitness for a particular purpose.  In no event 

shall The Open Group be liable for any loss of profits, loss of business, loss

of data or for any indirect, special, exemplary, incidental or consequential

damages of any kind arising from your use of, failure to use or improper

use of any of the instructions or information in this Security Advisory.

______________________________________________________________________________





I. Description



Vulnerabilities exist in the terminal emulator xterm(1), and the Xaw

library distributed in various MIT X Consortium; X Consortium, Inc.;

and The Open Group X Project Team releases. These vulnerabilities may

be exploited by an intruder to gain root access. 



The resources and the releases affected by the xterm vulnerability are:



                              Resources

                 inputMethod       preeditType      *Keymap

    Release      

    X11R3           NO                 NO             YES

    X11R4           NO                 NO             YES

    X11R5           NO                 NO             YES

    X11R6           NO                 NO             YES

    X11R6.1         YES                YES            YES

    X11R6.2         YES                YES            YES

    X11R6.3         YES                YES            YES

    X11R6.4         YES                YES            YES



The resources and the releases affected by the Xaw library

vulnerability are



                              Resources

                 inputMethod       preeditType

    Release      

    X11R6           YES                YES

    X11R6.1         YES                YES

    X11R6.2         YES                YES

    X11R6.3         YES                YES

    X11R6.4         YES                YES





(X11R6.2 was not released to the public.)



The Open Group X Project Team has investigated the issue and recommends 

the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED

that these measures be implemented on ALL vulnerable systems. This issue 

will be corrected in future X Project Team releases of X11.





- - - --------------

- - - --- Impact ---

- - - --------------



By crafting an arbitrarily long string that contains embedded machine code 

and using it to set specific "resources", a user may obtain a shell prompt 

that has root privileges.



Anyone using the MIT X Consortium; X Consortium, Inc.; or X Project Team

xterm and that has xterm installed setuid-root may be vulnerable.



Anyone using an xterm based on any of the sources listed above may

also be vulnerable to the xterm vulnerability.



In order to be vulnerable to the Xaw library vulnerability, the Xaw

Text widget must be used by a setuid-root program. Anyone using an

Xaw replacement based on any of the released versions of Xaw listed

above (e.g. Xaw3d) may also be vulnerable to the Xaw vulnerability.





- - - --------------------------

- - - --- Temporary Solution  ---

- - - --------------------------



     1) Become the root user on the system.



                % /bin/su -

                Password:

                #



     2) Remove the setuid-root bit from the xterm binary.



                # chmod 0755 <path-to-xterm>/xterm





For the Xaw vulnerability, remove the suid-root bit from any programs

which use the Xaw text widget. 



 2) Remove the setuid-root bit from the binary.



                # chmod 0755 <setuid-root-program>





- - - ----------------

- - - --- Solution ---

- - - ----------------



Patches to address this vulnerability have been given to X Project Team 

members: 



    Astec

    Attachmate

    BARCO Chromatics

    CliniComp International

    Digital

    Hewlett-Packard

    Hitachi

    Hummingbird Communications

    IBM

    Jupiter Systems

    Metro Link

    Network Computing Devices

    NetManage

    Peritek

    Seaweed Systems

    Sequent Computer Systems

    Shiman Associates

    Silicon Graphics

    Societe Axel

    Siemens Nixdorf

    Starnet

    SunSoft

    WRQ

    Xi Graphics



The X Project Team periodically makes public patches available to fix a

variety of problems. Announcements about the availability of these patches 

is announced on the Usenet comp.windows.x.announce newsgroup. The patches,

when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.

The X Project Team only supplies patches for the latest release -- we do 

not make patches for prior releases.



Information on joining The Open Group can be found at 



        http://www.opengroup.org/howtojoin.htm