Multiple vendor terminal emulator window title command execution

terminal-emulator-window-title (11414) The risk level is classified as MediumMedium Risk

Description:

Multiple vendor terminal emulator software packages, including XFree86 xterm, dtterm, uxterm, rxvt, aterm, Eterm, and PuTTY, gnome-terminal, and hanterm-xf could allow a remote or local attacker to modify the terminal window title and execute arbitrary commands on the system, caused by improper handling of malformed escape sequences. Escape sequences are a series of characters that begin with the ASCII (0x1B) sequence and are followed by a series of arguments. If an attacker creates a file containing specially-crafted escape sequences, and then the terminal emulator user opens that file, the attacker could modify the window title and then insert it back into the command line of the terminal emulator, which would allow the attacker to execute arbitrary commands on the system.


Consequences:

Gain Access

Remedy:

For Eterm:
Upgrade to the latest version of Eterm (0.9.2 or later), available from the Eterm Web site. See References.

For Red Hat Linux:
Upgrade to the latest rxvt package, as listed below. Refer to RHSA-2003:054-07 for more information. See References.

Red Hat 6.2: 2.7.8-3.6.2.1 or later
Red Hat 7.0: 2.7.8-3.7.0.1 or later
Red Hat 7.1: 2.7.8-3.7.1.1 or later
Red Hat 7.2 and 7.3: 2.7.8-4 or later

For Red Hat Linux:
Upgrade to the latest hanterm package, as listed below. Refer to RHSA-2003:070-12 for more information. See References.

Red Hat 7.2 and 7.3: 2.0.5-5.7.4 or later
Red Hat 8.0: 2.0.5-5.8.0 or later

For Red Hat Linux 8.0 using the gnome-terminal:
Upgrade to the latest vte package (0.8.19-2 or later), as listed in RHSA-2003:053-10. See References.

For Red Hat Linux 8.0:
Upgrade to the latest XFree86 package (4.2.1-21 or later), as listed in RHSA-2003:067-19. See References.

For Red Hat Linux containing the hanterm package:
Upgrade to the latest hanterm package, as listed below. Refer to RHSA-2003:071-12 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v.2.1), WS (v.2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 2.0.5-5.AS21.1 or later

For Gentoo Linux containing the vte package:
Upgrade versions x11-libs/vte (0.10.25 or later), as listed in Gentoo Linux Security Announcement 200303-2. See References.

For Gentoo Linux containing the eterm package:
Upgrade versions x11-terms/eterm (0.9.2-r3 or later), as listed in Gentoo Linux Security Announcement 200303-1. See References.

For Gentoo Linux containing the rxvt package:
Upgrade to the latest version of rxvt (2.7.8-r6 or later), as listed in Gentoo Linux Security Announcement 200303-16. See References.

For Sun Linux 5.0:
Apply the appropriate patch for your system. Refer to Sun Alert ID: 55602 for more information. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest xfree86 package (4.1.0-16woody1 or later), as listed in DSA-380-1. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest eterm package (0.9.2-0pre2002042903.3 or later), as listed in DSA-496-1. See References.

For HP-UX 11.22:
Download the latest patch (PHSS_29736 or later), as listed in as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For HP-UX 11.11:
Download the latest patch (PHSS_29735 or later), as listed in as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For HP-UX 11:04:
Download the latest patch (PHSS_30167 or later), as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For HP-UX 11.00:
Download the latest patch (PHSS_29735 or later), as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • Apple Web site: About the security content of Security Update 2010-002 / Mac OS X v10.6.3.
  • aterm Web site: Aterm - AfterStep X Windows Terminal Emulator.
  • BugTraq Mailing List, Mon Feb 24 2003 - 20:09:39 CST : Re: Terminal Emulator Security Issues .
  • CIAC Information Bulletin N-110: Red Hat Updated XFree86 Packages Provide Security and Bug Fixes.
  • CIAC Information Bulletin O-056: Hewlett-Packard dtterm Vulnerability.
  • Eterm Web site: Eterm.Org.
  • Gentoo Linux Security Announcement 200303-1: eterm -- dangerous interception of escape sequences.
  • Gentoo Linux Security Announcement 200303-16: rxvt multiple vulnerabilities.
  • Gentoo Linux Security Announcement 200303-2: vte -- dangerous interception of escape sequences.
  • Gnome FTP site: Fix terminal title reporting.
  • GnomeFiles Web site: GNOME Terminal.
  • Hewlett-Packard Company Security Bulletin HPSBUX0401-309 SSRT3507: HP Tru64 UNIX dtterm Potential Security Vulnerability.
  • PuTTY Web site: PuTTY: a free Win32 telnet/ssh client.
  • Sun Alert ID: 55602: Sun Linux 5.0 Security Vulnerabilities in XFree86 Packages.
  • VulnWatch Mailing List, Mon Feb 24 2003 - 15:02:52 CST : Terminal Emulator Security Issues .
  • BID-10237: ETerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6940: XTerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6941: Eterm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6942: DTTerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6945: UXTerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6946: Hanterm-XF Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6948: Gnome-Terminal Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6953: RXVT Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-8548: HP Tru64 UNIX Unspecified DTTerm Denial Of Service Vulnerability
  • CVE-2003-0063: The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0064: The dtterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0065: The uxterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0066: The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0067: The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0068: The Eterm terminal emulator 0.9.1 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0069: The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0070: VTE, as used by default in gnome-terminal terminal emulator 2.2 and as an option in gnome-terminal 2.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0077: The hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and possibly later versions, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • DSA-380: xfree86 -- buffer overflows
  • DSA-496: eterm -- missing input sanitising
  • MDKSA-2003:034: Updated rxvt packages fix escape sequence insecurities
  • MDKSA-2003:034-1: Updated rxvt packages fix escape sequence insecurities
  • MDKSA-2003:040: Updated Eterm packages fix escape sequence insecurities
  • MDVSA-2010:161: vte
  • OSVDB ID: 4591: Eterm Window Title Escape Sequence Arbitrary Command Execution
  • OSVDB ID: 4917: Hangul Terminal hanterm-xf Window Title Escape Sequence Arbitrary Command Execution
  • OSVDB ID: 60454: dtterm Window Title Escape Sequence Arbitrary Command Execution
  • OSVDB ID: 60455: uxterm Window Title Escape Sequence Arbitrary Command Execution
  • OSVDB ID: 60457: aterm Window Title Escape Sequence Arbitrary Command Execution
  • OSVDB ID: 60458: gnome-terminal (vte) Window Title Escape Sequence Arbitrary Command Execution
  • OSVDB ID: 8347: PuTTY Window Title Escape Character Arbitrary Command Execution
  • RHSA-2003-053: Updated vte packages fix gnome-terminal vulnerability
  • RHSA-2003-054: Updated rxvt packages fix various vulnerabilites
  • RHSA-2003-055: rxvt security update
  • RHSA-2003-064: Updated XFree86 4.1.0 packages are available
  • RHSA-2003-065: XFree86 security update
  • RHSA-2003-066: Updated XFree86 packages provide security and bug fixes
  • RHSA-2003-067: Updated XFree86 packages provide security and bug fixes
  • RHSA-2003-070: Updated hanterm packages provide security fixes
  • RHSA-2003-071: hanterm-xf security update

Platforms Affected:

  • Afterstep aterm 0.4.2
  • Apple Mac OS X 10.5.8
  • Apple Mac OS X 10.6
  • Apple Mac OS X 10.6.1
  • Apple Mac OS X 10.6.2
  • Apple Mac OS X Server 10.5.8
  • Apple Mac OS X Server 10.6
  • Apple Mac OS X Server 10.6.1
  • Apple Mac OS X Server 10.6.2
  • Debian Debian Linux 3.0
  • dtterm dtterm
  • Gentoo Linux
  • GNOME gnome-terminal 2.0.2
  • Gnome VTE 0.24
  • HP HP-UX 11
  • HP HP-UX 11.04
  • HP HP-UX 11.11
  • HP HP-UX 11.22
  • Institute of Systems Science uxterm
  • Jake Song hanterm-xf 2.0
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux 8.2 PPC
  • MandrakeSoft Mandrake Linux 9.0
  • MandrakeSoft Mandrake Linux 9.1
  • MandrakeSoft Mandrake Linux 9.1 PPC
  • MandrakeSoft Mandrake Linux Corporate Server 2.1
  • Mandriva Linux 2009.1
  • Mandriva Linux 2009.1 X86_64
  • Mandriva Linux 2010
  • Mandriva Linux 2010 X86_64
  • Michael Jennings Eterm 0.9.1 and prior
  • PuTTY PuTTY 0.53
  • RedHat Enterprise Linux 2.1 ES
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Enterprise Linux 2.1 WS
  • RedHat Enterprise Linux 2.1 AW
  • RedHat Linux 6.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • RedHat Linux 8.0
  • RedHat Linux Advanced Workstation 2.1 Itanium
  • rxvt rxvt 2.7.8
  • Sun Linux 5.0
  • XFree86 XFree86 4.2.0

Reported:

Feb 24, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page