Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 84587 - rxvt contains a number of vulnerabilities in escape sequences
rxvt contains a number of vulnerabilities in escape sequences
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: rxvt (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-02-19 04:27 EST by Mark J. Cox
Modified: 2007-11-30 17:06 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-04-04 04:36:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:055 normal SHIPPED_LIVE Important: rxvt security update 2003-02-06 00:00:00 EST

  None (edit)
Description Mark J. Cox 2003-02-19 04:27:04 EST
A number of bugs in rxvt.  This is not public until February 25 2003

* The rxvt package allows arbitrary files to be created
  echo -e "\ec+ +\n\e]55;/tmp/M00SE\a"


* Possible to trojan the dynamic menus in rxvt
  echo -e "\e]10;[:/Special/{Access} touch /tmp/BOO\rexit\r

  CAN-2003-0023 (we do ship with menus enabled)

* One of the features which most terminal emulators support is
  the ability for the shell to set the title of the window using
  an escape sequence.  Certain xterm variants also provide an
  escape sequence for reporting the current window title. This
  essentially takes the current title and places it directly on
  the command line. Due to the way that most emulators processes
  the escape sequence, it is not possible to embed a carriage
  return into the window title itself, so the attacker would
  have to convince the user to hit enter for it to process the
  title as a command (not too hard, for example:)
  echo "\e]2;;touch /tmp/BOO;\a\e[21t\e]2;term\aHit Enter>\e[8m;"

Comment 1 Harald Hoyer 2003-02-25 06:29:28 EST
echo -e "\e]2;test\e[21t"
seems to be a DOS attack ... 
Comment 2 Harald Hoyer 2003-02-25 08:06:19 EST
ah, ok... \a was missing in the last sequence
Comment 3 Thomas E. Dickey 2003-02-25 10:45:57 EST
How is this different in any degree from a script which
performs the same action without regard to what is stored
in the title?  None.
Comment 4 Harald Hoyer 2003-02-25 10:59:00 EST
? the last thing?
Comment 5 Thomas E. Dickey 2003-02-25 12:17:42 EST
All that's being noted is that someone is able to store data someplace
and later retrieve it.  Just like improperly quoted shell scripts...
Comment 6 Harald Hoyer 2003-02-25 12:22:22 EST
well this scripts usually do not get executed, if you display a log file...
(from apache or s.th. else)
Comment 7 Thomas E. Dickey 2003-02-25 12:34:21 EST
I find the comment reasonable only if the logfile contains other
escape characters that the person wants to pass through "less -R".
(People who simply cat binary files to their terminal have a variety
of ways to affect things, including logging themselves off ;-)
Comment 8 Mark J. Cox 2003-02-26 03:54:24 EST
Most administrators I know use various tools like 'tail -f', 'more', and 'grep'
when looking through log files - the first problem is of course that those log
files should properly strip or encode escape characters.  Apache does a good job
of encoding access logs but not error logs, but this isn't just a problem with
Apache logs.  

So given that an administrator may well be looking at externally influenced
strings including escape characters we want to minimise the impact that those
can have - removing the ability to create arbitrary files, removing a DOS (not a
very exciting issue), and removing the window title reporting which could be
used to trick the admin into executing arbitrary commands.
Comment 9 Kjartan Maraas 2003-04-03 14:55:40 EST
This has been released now, right?
Comment 10 Mark J. Cox 2003-04-04 04:36:46 EST
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.