xterm Log File Race Condition

Vulnerability Description

Brief Description: xterm(1) has a race condition in the way it opens an existing file for logging.

Detailed Description: xterm emulates a terminal in the X window system. xterm also allows a user to append all xterm activity. The program first checks that the real UID can write to the named log file using access(2), and then opens the file open(2). As the log file is typically created in the home directory of the real UID, that user can write to the containing directory and hence switch files to exploit the race condition.

Component(s): xterm

Version(s): Versions of the X window system earlier than X11R5 patchlevel 25

Operating System(s): Any system running the above version(s) of X.

Other Information: You need access to a user account.

Effects:You can change the ownership of any file on a file system on which you can create a file.

Detecting the Vulnerability:

* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.

* Check your xterm executable for the two system calls. If it has them, you are probably vulnerable.

Fixing the Vulnerability:

* Upgrade to a newer version.

* If you have the source code, write the access checking portion of the program to drop privileges for the open, and regain them right after. If your system supports a saved UID, use the setuid(2) system call; if not, create a pipe and fork(2), have the child change its effective UID to its real UID, and have it write to the log file.

Cataloguing

Keywords:xterm, race condition

Exploiting

Attack Methods or Tools: Not provided.

Related Information

Advisories and Other Alerts: CIAC E-04 (CIAC E-04); CIAC CA-93:17 (CIAC CA-93:17);

Related Vulnerabilities: Andrew S. Tanenbaum, Operating Systems Design and Implementation, Prentice-Hall, Inc. (1987).

History

First Report We Know Of: by unknown

Revisions of Database Record

1. Olufemi Oloyede(7/13/98): Entered into DOVES.

2. Mike Dilger(original): Entered into original database.