CVE-1999-1210

Step 1: Environment Setup: The attacker sets the DISPLAY environment variable to a value that xterm cannot access (e.g., an invalid display or a display the attacker doesn't have permission to use). Step 2: Symlink Creation: The attacker creates a symbolic link to a critical system file, such as /etc/passwd, with a predictable filename that xterm will use for its core dump (e.g., core). Step 3: Triggering the Crash: The attacker executes xterm. Because of the invalid DISPLAY setting, xterm crashes and attempts to create a core dump. Step 4: File Overwrite: xterm, running with the attacker's privileges, attempts to write the core dump data to the file pointed to by the symbolic link (e.g., /etc/passwd). Step 5: Privilege Escalation: The attacker gains control of the system by overwriting the target file (e.g., adding a new user with root privileges to /etc/passwd).

The vulnerability stems from a race condition in how xterm handles core dumps when the DISPLAY environment variable is set to an inaccessible display. When xterm crashes due to this misconfiguration, it attempts to create a core dump file. An attacker can exploit this by creating a symbolic link to a critical system file (e.g., /etc/passwd) before xterm attempts to create the core dump. The xterm process, running with the attacker's privileges, then writes the core dump data to the target file, effectively overwriting it. The root cause is the lack of proper input validation and secure file handling, specifically the failure to check if the target file is a symbolic link before writing to it. This allows for a symlink attack to overwrite arbitrary files.