Bugtraq mailing list archives

xterm security problems ?

From: GILLES.SOULET () MELIES cnes fr (Gilles SOULET - Ingenieur d'etudes au departement SSI du CNES.)
Date: 05 Dec 94 09:50:00+0100


Hello guys !

Using Sun's Openwin under SunOS4.1.3, I noticed that the 
/usr/openwin/bin/xterm wasn't setuid ROOT. It seems to be a
good thing (remember the "xterm -lf" + file link bug ?).

When you launch an xterm, the system attachs a device to the
xterm's shell. You can see this device by typing 'tty' in the xterm's
window. OK.

The pb is : Under SunOS, the terminal devices (/dev/ttyp?) are
owned by root, with rights rw-rw-rw-. When you log on the machine,
the login process changes the owner of the terminal, so the tty
belongs to you, with minimum access rights. BUT when using an xterm,
you don't have the permissions to change the owner and access rights
of the newly allocated tty. So the device stays owned by root,
WORLD READABLE and WORLD WRITEABLE !!!

I think this introduces a major security hole, since everybody
can read on a xterm's shell terminal device to get secret
informations, including a password ! You can try this by using
the "cat" command redirected from (or to) an xterm terminal device :
it works !

The problem doesn't exists under Solaris 2.3 : the xterm terminal
belongs to you. Since I also use Solaris, I wondered how the system
manages to change the permissions of the device : the xterm is not
setuid under Solaris Openwin...

After a few experiment, I noticed that the system was using an
undocumented program : /usr/lib/pt_chmod. This little executable
is - guess what ? - setuid ROOT ! It does *exactly what I was looking
for: change the access rights and owner of a terminal device. Hmm ..

The questions are now :
-----------------------

 1) what are the risks of using such a mecanism ? How can we be sure
    that this "pt_chmod" is secure ? 

 2) using a "regular" X11R6 xterm, it also changes the owner and
    rights of the device. It seems that pt_chmod is called by the
    system, not xterm. I suppose pt_chmod is called by ioctl() or
    termio(), but I'm not so sure...
    Anybody can confirm this ?


# Gillus 

(IT Security Dep. French Space Agency, Toulouse Space Center)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Current thread:

xterm security problems ? Gilles SOULET - Ingenieur d'etudes au departement SSI du CNES. (Dec 05)
- <Possible follow-ups>
- RE: xterm security problems ? GILLES.SOULET () MELIES cnes fr (Dec 05)