Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANmXKc4quVKOdVY26Mid-MRQHRwc2yPbd+hUWonhKrj-1pBhOg@mail.gmail.com>
Date: Wed, 30 Apr 2014 11:33:30 +0100
From: Conor McCarthy <mr.spuratic@...il.com>
To: oss-security@...ts.openwall.com
Cc: rxvt@...morp.de
Subject: CVE request: rxvt-unicode user-assisted arbitrary commands execution

All,
 I would like to request a CVE for the following issue.

rxvt-unicode-9.20 (aka urxvt) includes a security update [1] to address a
user-assisted arbitrary commands execution issue. This can be exploited
by the unprocessed display of certain escape sequences in a crafted text
file or program output.

Vendor/author Marc Lehmann was notified last week, the updated version was
released on 2014-04-26. My thanks to Marc for his prompt responses and
valuable assistance.

This is a similar attack vector to CVE-2003-0063, CVE-2008-2383,
and CVE-2010-2713.

rxvt-unicode supports the xterm OSC escape sequences[2] to read, write and
delete the X properties of the terminal window. This function is in the
group of OSC escapes which allow read/write access to the icon name and
window title, however read access to those is allowed only with the
"-insecure" command line option. The update in 9.20 makes "-insecure"
a requirement for read access to the window properties also.

This OSC feature was added to rxvt-unicode-2.7, so I believe it affects all
versions from 2.7 to 9.19 inclusive. (I have confirmed it present in version
3.0, prior to that parts of the code are not supported by a contemporary
g++ .)

Arbitrary window properties can be written, and arbitrary properties can
be read, placing the contents in the terminal input buffer, as is the
convention. From a bash prompt in urxvt (9.19):

    $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";
    ^[]3;urxvt^G
    $'\E]3;urxvt'

It follows that arbitrary command sequences can be constructed using this,
and unintentionally executed if used in conjunction with various other
escape sequences.

Regards,
 Conor.

[1] http://dist.schmorp.de/rxvt-unicode/Changes
[2] http://invisible-island.net/xterm/ctlseqs/ctlseqs.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.