Vigil@nce: xterm, command injection via DECRQSS
January 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to display a text file
containing a malicious DECRQSS ANSI sequence in order to execute a
command on his computer.
Gravity: 2/4
Consequences: user access/rights
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 30/12/2008
IMPACTED PRODUCTS
– Debian Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
ANSI sequences add features to terminals (the ESC pattern is the
"escape" character with value 0x1B) :
– ESC line;column H : move on the screen
– ESC 33m : change color
– etc.
Complex sequences are also supported (DCS = Device Control
Sequence = "ESC P", ST = String Terminator = "ESC \"):
– DCS $ q function ST : (DECRQSS) query a parameter (such as the
scrolling speed)
– DCS success $ r result ST : (DECRPSS) return the result
– etc.
The function indicated in DECRQSS is not filtered before being
sent to the terminal. The function name is thus interpreted as a
shell command to run.
When the victim displays a text file coming from an untrusted
source (such as a log file), its ANSI commands are thus run in his
shell.
CHARACTERISTICS
Identifiers: 510030, BID-33060, CVE-2008-2383, DSA 1694-1, DSA
1694-2, VIGILANCE-VUL-8360
http://vigilance.fr/vulnerability/8360