Source: cve@mitre.org
xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to overwrite arbitrary files via a symlink attack on a core dump file, which is created when xterm is called with a DISPLAY environmental variable set to a display that xterm cannot access.
Digital UNIX 4.0B systems with patch kit 5 are vulnerable to a local privilege escalation via a symlink attack against the xterm terminal emulator. This vulnerability allows an attacker to overwrite arbitrary files, potentially leading to system compromise and unauthorized access. Successful exploitation requires a user to have local access and the ability to set the DISPLAY environment variable.
Step 1: Environment Setup: The attacker logs into the vulnerable system and sets the DISPLAY environment variable to a display that the attacker's user does not have access to (e.g., a display on a different machine or a display with incorrect permissions).
Step 2: Symlink Creation: The attacker creates a symbolic link (symlink) pointing to a critical system file that they want to overwrite (e.g., /etc/passwd). The symlink is created in a location where the xterm process will attempt to create the core dump file.
Step 3: xterm Execution: The attacker executes xterm.
Step 4: Core Dump Trigger: xterm attempts to create a core dump file because it cannot connect to the specified display.
Step 5: File Overwrite: Because of the symlink, the core dump data is written to the file pointed to by the symlink (e.g., /etc/passwd), overwriting its contents.
Step 6: Privilege Escalation: The attacker can now use the modified file (e.g., /etc/passwd) to gain elevated privileges, potentially gaining root access.
The vulnerability stems from a race condition within xterm when handling core dumps. When xterm is invoked with a DISPLAY environment variable pointing to an inaccessible display, it attempts to create a core dump file. An attacker can exploit this by creating a symbolic link to a critical system file (e.g., /etc/passwd) before xterm attempts to create the core dump. The xterm process, running with the attacker's privileges, then writes the core dump data to the file pointed to by the symbolic link, effectively overwriting the target file. The flaw lies in the lack of proper input validation and the failure to check the target file's ownership or permissions before writing to it. The use of a symlink allows the attacker to control the destination of the write operation, making it a powerful attack vector.
Due to the age of the vulnerability, it is unlikely to be directly associated with specific APT groups or malware campaigns. However, the techniques used (symlink attacks) are common and could be incorporated into broader attack strategies. This vulnerability is not listed on the CISA KEV catalog.
Monitor system logs for the creation of core dump files, especially when xterm is involved.
Analyze file system activity for suspicious symlink creations, particularly those targeting system files like /etc/passwd, /etc/shadow, or other critical configuration files.
Implement file integrity monitoring (FIM) to detect unauthorized modifications to critical system files.
Monitor for unusual processes spawned by the user, especially those with elevated privileges.
Review network traffic for unusual display connections, especially from internal hosts to external hosts.
Apply the vendor-provided patch kit 5 for Digital UNIX 4.0B, which addresses the vulnerability.
Upgrade to a more recent and supported operating system version.
Restrict the ability to set the DISPLAY environment variable, especially for untrusted users.
Implement file system hardening by setting appropriate permissions and ownership on critical system files.
Regularly audit system configurations and user accounts for potential vulnerabilities.
Disable core dumps or configure them to be written to a secure location with restricted access.
Implement a host-based intrusion detection system (HIDS) to detect suspicious activity.