Bug#244811: gnome-terminal: Arbitrary command execution a.o. via escape sequences

Jan Minar Jan Minar <jjminar@fastmail.fm>, 244811@bugs.debian.org
Tue, 20 Apr 2004 05:18:50 +0200 

--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: gnome-terminal
Version: 1.4.0.6-5
Severity: grave
Justification: user security hole
Tags: security

Hi.

I've read this [1]analysis by by H D Moore.  No matter how convenient
the escape sequences that allow injecting of arbitrary data as-if typed
by the user might be, they should go, and they should go now.

[1] http://marc.theaimsgroup.com/?l=3D3Dbugtraq&m=3D3D104612710031920&w=3D3=
D2

All the escape sequences that allow characters injection in the user
input i.e. arbitrary command execution after all, should be disabled,
especially those allowing the attacker to inject arbitrary or known
data, i.e. those window-title-reporting and icon-title-reporting ones,
and others.

All other escape sequences that allow the attacker to modify the user
environment should be disabled, too.  I'm not sure as which escape
sequences belong to this set.

Please read the abovementioned paper.  I will add few remarks:

(1) It's possible to covertly inject arbitrary commands in a shell
command-line, by switching the echoing of characters typed off and on,
letting the user press the <Ret> him-/herself.

(2) There are many applications that allow bang-shell-escape, where
<Ret> is used e.g. for scrolling (less(1), mutt(1)).  Although the
dangerous escape sequences might be filtered out [by default], this can
be turned off -- And there *are* no warning signs.

(3) There probably is a way of abusing e.g. the readline(3) macro
ability, obviating the need of <Ret> being included in the payload; in
some environments, some ordinary ASCII character might be mapped to
<Ret> by default, even.

(4) This is a failure to separate the security domains cleanly, by
allowing the intruder to type things with the terminal owner's
privileges.  It breaks the security scheme very deeply, and exactly
because of this, ``nobody'' would expect it.

(5) Many observations made about MS Outlook & friends e.g. wrt the
click-me virii apply.  But this is even worse than Windows: Here any and
every file may contain executable code, any and every file may carry a
`virus'.

Cheers,
Jan.


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2

Versions of packages gnome-terminal depends on:
ii  gdk-imlib1             1.9.14-2          Gdk-Imlib is an imaging librar=
y fo
ii  gnome-bin              1.4.1.4-3         Miscellaneous binaries used by=
 Gno
ii  libart2                1.4.1.4-3         The Gnome canvas widget - runt=
ime=20
ii  libaudiofile0          0.2.3-4           The Audiofile Library
ii  libc6                  2.2.5-11.5        GNU C Library: Shared librarie=
s an
ii  libdb3                 3.2.9-16          Berkeley v3 Database Libraries=
 [ru
ii  libesd0                0.2.23-3          Enlightened Sound Daemon - Sha=
red=20
ii  libglade-gnome0        1:0.17-2.2        Library to load .glade files a=
t ru
ii  libglade0              1:0.17-2.2        Library to load .glade files a=
t ru
ii  libglib1.2             1.2.10-4          The GLib library of C routines
ii  libgnome32             1.4.1.4-3         The Gnome libraries
ii  libgnomesupport0       1.4.1.4-3         The Gnome libraries (Support l=
ibra
ii  libgnomeui32           1.4.1.4-3         The Gnome libraries (User Inte=
rfac
ii  libgnorba27            1.4.1.4-3         Gnome CORBA services
ii  libgtk1.2              1.2.10-11         The GIMP Toolkit set of widget=
s fo
ii  libjpeg62              6b-5              The Independent JPEG Group's J=
PEG=20
ii  liborbit0              0.5.16-1          Libraries for ORBit - a CORBA =
ORB
ii  libpng2                1.0.12-3.woody.3  PNG library - runtime
ii  libtiff3g              3.5.5-6           Tag Image File Format library
ii  libungif4g             4.1.0b1-2         shared library for GIF images =
(run
ii  libwrap0               7.6-9             Wietse Venema's TCP wrappers l=
ibra
ii  libxml1                1:1.8.17-2woody1  GNOME XML library
ii  libzvt2                1.4.1.4-3         The Gnome zvt (zterm) widget
ii  scrollkeeper           0.3.6-3.1         A free electronic cataloging s=
yste
ii  xlibs                  4.1.0-16woody3    X Window System client librari=
es
ii  zlib1g                 1:1.1.4-1.0woody0 compression library - runtime

--=20
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
 where this started and I think it goes back to the time I went to the circ=
us,
			  and a clown killed my dad."

--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAhJaZ+uczK20Fa5cRAuJBAJ9REWkxQpm9eblAzj6WzNQWITR49wCfaz+K
6zfUIG0hoYyb5qu7b9AfyYs=
=SN27
-----END PGP SIGNATURE-----

--qDbXVdCdHGoSgWSk--