Bug 84587 - rxvt contains a number of vulnerabilities in escape sequences
Summary: rxvt contains a number of vulnerabilities in escape sequences
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: rxvt
Version: 2.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2003-02-19 09:27 UTC by Mark J. Cox
Modified: 2007-11-30 22:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-04-04 09:36:46 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:055 0 normal SHIPPED_LIVE Important: rxvt security update 2003-02-06 05:00:00 UTC

Description Mark J. Cox 2003-02-19 09:27:04 UTC
A number of bugs in rxvt.  This is not public until February 25 2003

* The rxvt package allows arbitrary files to be created
  echo -e "\ec+ +\n\e]55;/tmp/M00SE\a"


* Possible to trojan the dynamic menus in rxvt
  echo -e "\e]10;[:/Special/{Access} touch /tmp/BOO\rexit\r

  CAN-2003-0023 (we do ship with menus enabled)

* One of the features which most terminal emulators support is
  the ability for the shell to set the title of the window using
  an escape sequence.  Certain xterm variants also provide an
  escape sequence for reporting the current window title. This
  essentially takes the current title and places it directly on
  the command line. Due to the way that most emulators processes
  the escape sequence, it is not possible to embed a carriage
  return into the window title itself, so the attacker would
  have to convince the user to hit enter for it to process the
  title as a command (not too hard, for example:)
  echo "\e]2;;touch /tmp/BOO;\a\e[21t\e]2;term\aHit Enter>\e[8m;"


Comment 1 Harald Hoyer 2003-02-25 11:29:28 UTC
echo -e "\e]2;test\e[21t"
seems to be a DOS attack ... 

Comment 2 Harald Hoyer 2003-02-25 13:06:19 UTC
ah, ok... \a was missing in the last sequence

Comment 3 Thomas E. Dickey 2003-02-25 15:45:57 UTC
How is this different in any degree from a script which
performs the same action without regard to what is stored
in the title?  None.

Comment 4 Harald Hoyer 2003-02-25 15:59:00 UTC
? the last thing?

Comment 5 Thomas E. Dickey 2003-02-25 17:17:42 UTC
All that's being noted is that someone is able to store data someplace
and later retrieve it.  Just like improperly quoted shell scripts...

Comment 6 Harald Hoyer 2003-02-25 17:22:22 UTC
well this scripts usually do not get executed, if you display a log file...
(from apache or s.th. else)

Comment 7 Thomas E. Dickey 2003-02-25 17:34:21 UTC
I find the comment reasonable only if the logfile contains other
escape characters that the person wants to pass through "less -R".
(People who simply cat binary files to their terminal have a variety
of ways to affect things, including logging themselves off ;-)

Comment 8 Mark J. Cox 2003-02-26 08:54:24 UTC
Most administrators I know use various tools like 'tail -f', 'more', and 'grep'
when looking through log files - the first problem is of course that those log
files should properly strip or encode escape characters.  Apache does a good job
of encoding access logs but not error logs, but this isn't just a problem with
Apache logs.  

So given that an administrator may well be looking at externally influenced
strings including escape characters we want to minimise the impact that those
can have - removing the ability to create arbitrary files, removing a DOS (not a
very exciting issue), and removing the window title reporting which could be
used to trick the admin into executing arbitrary commands.

Comment 9 Kjartan Maraas 2003-04-03 19:55:40 UTC
This has been released now, right?

Comment 10 Mark J. Cox 2003-04-04 09:36:46 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.