A number of bugs in rxvt. This is not public until February 25 2003 * The rxvt package allows arbitrary files to be created echo -e "\ec+ +\n\e]55;/tmp/M00SE\a" CAN-2003-0022 * Possible to trojan the dynamic menus in rxvt echo -e "\e]10;[:/Special/{Access} touch /tmp/BOO\rexit\r :]\a\e]10;[show]\a" CAN-2003-0023 (we do ship with menus enabled) * One of the features which most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. Due to the way that most emulators processes the escape sequence, it is not possible to embed a carriage return into the window title itself, so the attacker would have to convince the user to hit enter for it to process the title as a command (not too hard, for example:) echo "\e]2;;touch /tmp/BOO;\a\e[21t\e]2;term\aHit Enter>\e[8m;" CAN-2003-0066
echo -e "\e]2;test\e[21t" seems to be a DOS attack ...
ah, ok... \a was missing in the last sequence
How is this different in any degree from a script which performs the same action without regard to what is stored in the title? None.
? the last thing?
All that's being noted is that someone is able to store data someplace and later retrieve it. Just like improperly quoted shell scripts...
well this scripts usually do not get executed, if you display a log file... (from apache or s.th. else)
I find the comment reasonable only if the logfile contains other escape characters that the person wants to pass through "less -R". (People who simply cat binary files to their terminal have a variety of ways to affect things, including logging themselves off ;-)
Most administrators I know use various tools like 'tail -f', 'more', and 'grep' when looking through log files - the first problem is of course that those log files should properly strip or encode escape characters. Apache does a good job of encoding access logs but not error logs, but this isn't just a problem with Apache logs. So given that an administrator may well be looking at externally influenced strings including escape characters we want to minimise the impact that those can have - removing the ability to create arbitrary files, removing a DOS (not a very exciting issue), and removing the window title reporting which could be used to trick the admin into executing arbitrary commands.
This has been released now, right?
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2003-055.html