Date: Wed, 30 Apr 2014 11:33:30 +0100 From: Conor McCarthy <mr.spuratic@...il.com> To: oss-security@...ts.openwall.com Cc: rxvt@...morp.de Subject: CVE request: rxvt-unicode user-assisted arbitrary commands execution All, I would like to request a CVE for the following issue. rxvt-unicode-9.20 (aka urxvt) includes a security update  to address a user-assisted arbitrary commands execution issue. This can be exploited by the unprocessed display of certain escape sequences in a crafted text file or program output. Vendor/author Marc Lehmann was notified last week, the updated version was released on 2014-04-26. My thanks to Marc for his prompt responses and valuable assistance. This is a similar attack vector to CVE-2003-0063, CVE-2008-2383, and CVE-2010-2713. rxvt-unicode supports the xterm OSC escape sequences to read, write and delete the X properties of the terminal window. This function is in the group of OSC escapes which allow read/write access to the icon name and window title, however read access to those is allowed only with the "-insecure" command line option. The update in 9.20 makes "-insecure" a requirement for read access to the window properties also. This OSC feature was added to rxvt-unicode-2.7, so I believe it affects all versions from 2.7 to 9.19 inclusive. (I have confirmed it present in version 3.0, prior to that parts of the code are not supported by a contemporary g++ .) Arbitrary window properties can be written, and arbitrary properties can be read, placing the contents in the terminal input buffer, as is the convention. From a bash prompt in urxvt (9.19): $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x"; ^3;urxvt^G $'\E]3;urxvt' It follows that arbitrary command sequences can be constructed using this, and unintentionally executed if used in conjunction with various other escape sequences. Regards, Conor.  http://dist.schmorp.de/rxvt-unicode/Changes  http://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ