Bug 84587

Summary: rxvt contains a number of vulnerabilities in escape sequences
Product: Red Hat Enterprise Linux 2.1 Reporter: Mark J. Cox <mjc>
Component: rxvtAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: dickey, kmaraas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-04 09:36:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2003-02-19 09:27:04 UTC 
A number of bugs in rxvt.  This is not public until February 25 2003

* The rxvt package allows arbitrary files to be created
  echo -e "\ec+ +\n\e]55;/tmp/M00SE\a"

  CAN-2003-0022

* Possible to trojan the dynamic menus in rxvt
  echo -e "\e]10;[:/Special/{Access} touch /tmp/BOO\rexit\r
      :]\a\e]10;[show]\a"

  CAN-2003-0023 (we do ship with menus enabled)

* One of the features which most terminal emulators support is
  the ability for the shell to set the title of the window using
  an escape sequence.  Certain xterm variants also provide an
  escape sequence for reporting the current window title. This
  essentially takes the current title and places it directly on
  the command line. Due to the way that most emulators processes
  the escape sequence, it is not possible to embed a carriage
  return into the window title itself, so the attacker would
  have to convince the user to hit enter for it to process the
  title as a command (not too hard, for example:)
 
  echo "\e]2;;touch /tmp/BOO;\a\e[21t\e]2;term\aHit Enter>\e[8m;"

  CAN-2003-0066
Comment 1 Harald Hoyer 2003-02-25 11:29:28 UTC 
echo -e "\e]2;test\e[21t"
seems to be a DOS attack ...
Comment 2 Harald Hoyer 2003-02-25 13:06:19 UTC 
ah, ok... \a was missing in the last sequence
Comment 3 Thomas E. Dickey 2003-02-25 15:45:57 UTC 
How is this different in any degree from a script which
performs the same action without regard to what is stored
in the title?  None.
Comment 4 Harald Hoyer 2003-02-25 15:59:00 UTC 
? the last thing?
Comment 5 Thomas E. Dickey 2003-02-25 17:17:42 UTC 
All that's being noted is that someone is able to store data someplace
and later retrieve it.  Just like improperly quoted shell scripts...
Comment 6 Harald Hoyer 2003-02-25 17:22:22 UTC 
well this scripts usually do not get executed, if you display a log file...
(from apache or s.th. else)
Comment 7 Thomas E. Dickey 2003-02-25 17:34:21 UTC 
I find the comment reasonable only if the logfile contains other
escape characters that the person wants to pass through "less -R".
(People who simply cat binary files to their terminal have a variety
of ways to affect things, including logging themselves off ;-)
Comment 8 Mark J. Cox 2003-02-26 08:54:24 UTC 
Most administrators I know use various tools like 'tail -f', 'more', and 'grep'
when looking through log files - the first problem is of course that those log
files should properly strip or encode escape characters.  Apache does a good job
of encoding access logs but not error logs, but this isn't just a problem with
Apache logs.  

So given that an administrator may well be looking at externally influenced
strings including escape characters we want to minimise the impact that those
can have - removing the ability to create arbitrary files, removing a DOS (not a
very exciting issue), and removing the window title reporting which could be
used to trick the admin into executing arbitrary commands.
Comment 9 Kjartan Maraas 2003-04-03 19:55:40 UTC 
This has been released now, right?
Comment 10 Mark J. Cox 2003-04-04 09:36:46 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-055.html