Multiple vendor terminal emulator window title command execution

terminal-emulator-window-title (11414) The risk level is classified as MediumMedium Risk

Description:

Multiple vendor terminal emulator software packages, including XFree86 xterm, dtterm, uxterm, rxvt, aterm, Eterm, and PuTTY, gnome-terminal, and hanterm-xf could allow a remote or local attacker to modify the terminal window title and execute arbitrary commands on the system, caused by improper handling of malformed escape sequences. Escape sequences are a series of characters that begin with the ASCII (0x1B) sequence and are followed by a series of arguments. If an attacker creates a file containing specially-crafted escape sequences, and then the terminal emulator user opens that file, the attacker could modify the window title and then insert it back into the command line of the terminal emulator, which would allow the attacker to execute arbitrary commands on the system.

Platforms Affected:

  • Afterstep, aterm 0.4.2
  • Debian, Debian Linux 3.0
  • Gentoo, Linux
  • GNOME, gnome-terminal 2.0.2
  • HP, HP-UX 11
  • HP, HP-UX 11.04
  • HP, HP-UX 11.11
  • HP, HP-UX 11.22
  • Institute of Systems Science, uxterm
  • Jake Song, hanterm-xf 2.0
  • MandrakeSoft, Corporate Server 2.1
  • MandrakeSoft, Mandrakelinux 8.2
  • MandrakeSoft, Mandrakelinux 8.2 PPC
  • MandrakeSoft, Mandrakelinux 9.0
  • MandrakeSoft, Mandrakelinux 9.1 PPC
  • MandrakeSoft, Mandrakelinux 9.1
  • Michael Jennings, Eterm 0.9.1 and prior
  • PuTTY, PuTTY 0.53
  • RedHat, Enterprise Linux 2.1 AW
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Linux 6.2
  • RedHat, Linux 7
  • RedHat, Linux 7.1
  • RedHat, Linux 7.2
  • RedHat, Linux 7.3
  • RedHat, Linux 7.x
  • RedHat, Linux 8.0
  • RedHat, Linux Advanced Workstation 2.1 Itanium
  • rxvt, rxvt 2.7.8
  • Sun, Linux 5.0
  • XFree86, XFree86 4.2.0
  • , dtterm

Remedy:

For Eterm:
Upgrade to the latest version of Eterm (0.9.2 or later), available from the Eterm Web site. See References.

For Red Hat Linux:
Upgrade to the latest rxvt package, as listed below. Refer to RHSA-2003:054-07 for more information. See References.

Red Hat 6.2: 2.7.8-3.6.2.1 or later
Red Hat 7.0: 2.7.8-3.7.0.1 or later
Red Hat 7.1: 2.7.8-3.7.1.1 or later
Red Hat 7.2 and 7.3: 2.7.8-4 or later

For Red Hat Linux:
Upgrade to the latest hanterm package, as listed below. Refer to RHSA-2003:070-12 for more information. See References.

Red Hat 7.2 and 7.3: 2.0.5-5.7.4 or later
Red Hat 8.0: 2.0.5-5.8.0 or later

For Red Hat Linux 8.0 using the gnome-terminal:
Upgrade to the latest vte package (0.8.19-2 or later), as listed in RHSA-2003:053-10. See References.

For Red Hat Linux 8.0:
Upgrade to the latest XFree86 package (4.2.1-21 or later), as listed in RHSA-2003:067-19. See References.

For Red Hat Linux containing the hanterm package:
Upgrade to the latest hanterm package, as listed below. Refer to RHSA-2003:071-12 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v.2.1), WS (v.2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 2.0.5-5.AS21.1 or later

For Gentoo Linux containing the vte package:
Upgrade versions x11-libs/vte (0.10.25 or later), as listed in Gentoo Linux Security Announcement 200303-2. See References.

For Gentoo Linux containing the eterm package:
Upgrade versions x11-terms/eterm (0.9.2-r3 or later), as listed in Gentoo Linux Security Announcement 200303-1. See References.

For Gentoo Linux containing the rxvt package:
Upgrade to the latest version of rxvt (2.7.8-r6 or later), as listed in Gentoo Linux Security Announcement 200303-16. See References.

For Sun Linux 5.0:
Apply the appropriate patch for your system. Refer to Sun Alert ID: 55602 for more information. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest xfree86 package (4.1.0-16woody1 or later), as listed in DSA-380-1. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest eterm package (0.9.2-0pre2002042903.3 or later), as listed in DSA-496-1. See References.

For HP-UX 11.22:
Download the latest patch (PHSS_29736 or later), as listed in as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For HP-UX 11.11:
Download the latest patch (PHSS_29735 or later), as listed in as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For HP-UX 11:04:
Download the latest patch (PHSS_30167 or later), as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For HP-UX 11.00:
Download the latest patch (PHSS_29735 or later), as listed in HP-UX Security Bulletin HPSBUX0401-309. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

  • aterm Web site, Aterm - AfterStep X Windows Terminal Emulator at http://aterm.sourceforge.net/.
  • BugTraq Mailing List, Mon Feb 24 2003 - 20:09:39 CST , Re: Terminal Emulator Security Issues at http://archives.neohapsis.com/archives/bugtraq/2003-02/0323.html.
  • CIAC Information Bulletin N-110, Red Hat Updated XFree86 Packages Provide Security and Bug Fixes at http://www.ciac.org/ciac/bulletins/n-110.shtml.
  • CIAC Information Bulletin O-056, Hewlett-Packard dtterm Vulnerability at http://www.ciac.org/ciac/bulletins/o-056.shtml.
  • Eterm Web site, Eterm.Org at http://www.eterm.org/.
  • Gentoo Linux Security Announcement 200303-1, eterm -- dangerous interception of escape sequences at http://www.linuxsecurity.com/content/view/104657/104/.
  • Gentoo Linux Security Announcement 200303-16, rxvt multiple vulnerabilities at http://www.linuxsecurity.com/content/view/104759/104/.
  • Gentoo Linux Security Announcement 200303-2, vte -- dangerous interception of escape sequences at http://www.linuxsecurity.com/content/view/104658/104/.
  • GnomeFiles Web site, GNOME Terminal at http://www.gnomefiles.org/app.php?soft_id=113.
  • Hewlett-Packard Company Security Bulletin HPSBUX0401-309 SSRT3507, HP Tru64 UNIX dtterm Potential Security Vulnerability at http://archives.neohapsis.com/archives/compaq/2003-q3/0011.html.
  • PuTTY Web site, PuTTY: a free Win32 telnet/ssh client at http://www.chiark.greenend.org.uk/~sgtatham/putty/.
  • Sun Alert ID: 55602, Sun Linux 5.0 Security Vulnerabilities in XFree86 Packages at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F55602&zone_32=category%3Asecurity.
  • VulnWatch Mailing List, Mon Feb 24 2003 - 15:02:52 CST , Terminal Emulator Security Issues at http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html.
  • BID-10237: ETerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6940: XTerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6941: Eterm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6942: DTTerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6945: UXTerm Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6946: Hanterm-XF Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6948: Gnome-Terminal Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-6953: RXVT Window Title Reporting Escape Sequence Command Execution Vulnerability
  • BID-8548: HP Tru64 UNIX Unspecified DTTerm Denial Of Service Vulnerability
  • CVE-2003-0063: The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0064: The dtterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0065: The uxterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0066: The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0067: The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0068: The Eterm terminal emulator 0.9.1 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0069: The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0070: VTE, as used by default in gnome-terminal terminal emulator 2.2 and as an option in gnome-terminal 2.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • CVE-2003-0077: The hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and possibly later versions, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
  • DSA-380: xfree86 -- buffer overflows
  • DSA-496: eterm -- missing input sanitising
  • MDKSA-2003:034: Updated rxvt packages fix escape sequence insecurities
  • MDKSA-2003:034-1: Updated rxvt packages fix escape sequence insecurities
  • MDKSA-2003:040: Updated Eterm packages fix escape sequence insecurities
  • OSVDB ID: 4917: Hangul Terminal hanterm-xf Window Title Command Execution
  • OSVDB ID: 8347: PuTTY Window Title Escape Character Arbitrary Command Execution
  • RHSA-2003-053: Updated vte packages fix gnome-terminal vulnerability
  • RHSA-2003-054: Updated rxvt packages fix various vulnerabilites
  • RHSA-2003-055: rxvt security update
  • RHSA-2003-064: Updated XFree86 4.1.0 packages are available
  • RHSA-2003-065: XFree86 security update
  • RHSA-2003-066: Updated XFree86 packages provide security and bug fixes
  • RHSA-2003-067: Updated XFree86 packages provide security and bug fixes
  • RHSA-2003-070: Updated hanterm packages provide security fixes
  • RHSA-2003-071: hanterm-xf security update

Reported:

Feb 24, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page