Multiple vendor terminal emulator screen dump file overwrite
| terminal-emulator-screen-dump (11413) |  Medium Risk |
Description:
Multiple vendor terminal emulator software packages, including Eterm could allow a remote or local attacker to overwrite arbitrary files, caused by improper handling of escape sequences when using the "screen dump" feature. Escape sequences are a series of characters that begin with the ASCII (0x1B) sequence and are followed by a series of arguments. If an attacker creates a file containing specially-crafted escape sequences, and then the terminal emulator user opens that file, the attacker could cause the targeted file to be overwritten with the contents of the terminal emulator window.
*CVSS:
| Base Score: | 3.5 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | None |
| Integrity Impact: | Partial |
| Availability Impact: | None |
| Temporal Score: | 2.6 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
File Manipulation
Remedy:
For Eterm:
Upgrade to the latest version of Eterm (0.9.2 or later), available from the Eterm Web site. See References.
For Gentoo Linux containing the eterm package:
Upgrade versions x11-terms/eterm (0.9.2-r3 or later), as listed in Gentoo Linux Security Announcement 200303-1. See References.
For Gentoo Linux containing the rxvt package:
Upgrade to the latest version of rxvt (2.7.8-r6 or later), as listed in Gentoo Linux Security Announcement 200303-16. See References.
For Red Hat Linux:
Upgrade to the latest rxvt package, as listed below. Refer to RHSA-2003:054-07 for more information. See References.
Red Hat 6.2: 2.7.8-3.6.2.1 or later
Red Hat 7.0: 2.7.8-3.7.0.1 or later
Red Hat 7.1: 2.7.8-3.7.1.1 or later
Red Hat 7.2 and 7.3: 2.7.8-4 or later
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- BugTraq Mailing List, Mon Feb 24 2003 - 20:09:39 CST : Re: Terminal Emulator Security Issues .
- Eterm Web site: Eterm.Org.
- Gentoo Linux Security Announcement 200303-1: dangerous interception of escape sequences.
- Gentoo Linux Security Announcement 200303-16: rxvt multiple vulnerabilities.
- VulnWatch Mailing List, Mon Feb 24 2003 - 15:02:52 CST : Terminal Emulator Security Issues .
- BID-6936: Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability
- BID-6938: RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability
- BID-9930: Apache Error Log Escape Sequence Injection Vulnerability
- CVE-2003-0021: The screen dump feature in Eterm 0.9.1 and earlier allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence.
- CVE-2003-0022: The screen dump feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence.
- MDKSA-2003:034: Updated rxvt packages fix escape sequence insecurities
- MDKSA-2003:034-1: Updated rxvt packages fix escape sequence insecurities
- MDKSA-2003:040: Updated Eterm packages fix escape sequence insecurities
- RHSA-2003-054: Updated rxvt packages fix various vulnerabilites
- RHSA-2003-055: rxvt security update
Platforms Affected:
- Gentoo Linux
- MandrakeSoft Mandrake Linux 8.2 PPC
- MandrakeSoft Mandrake Linux 8.2
- MandrakeSoft Mandrake Linux 9.0
- MandrakeSoft Mandrake Linux 9.1
- MandrakeSoft Mandrake Linux 9.1 PPC
- MandrakeSoft Mandrake Linux Corporate Server 2.1
- Michael Jennings Eterm 0.9.1 and prior
- RedHat Enterprise Linux 2.1 WS
- RedHat Enterprise Linux 2.1 AS
- RedHat Enterprise Linux 2.1 ES
- RedHat Linux 6.2
- RedHat Linux 7
- RedHat Linux 7.1
- RedHat Linux 7.2
- RedHat Linux 7.3
- RedHat Linux Advanced Workstation 2.1 Itanium
- rxvt rxvt 2.7.8
Reported:
Feb 24, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.