Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 Apr 2014 11:33:30 +0100
From: Conor McCarthy <mr.spuratic@...il.com>
To: oss-security@...ts.openwall.com
Cc: rxvt@...morp.de
Subject: CVE request: rxvt-unicode user-assisted arbitrary commands execution

All,
 I would like to request a CVE for the following issue.

rxvt-unicode-9.20 (aka urxvt) includes a security update [1] to address a
user-assisted arbitrary commands execution issue. This can be exploited
by the unprocessed display of certain escape sequences in a crafted text
file or program output.

Vendor/author Marc Lehmann was notified last week, the updated version was
released on 2014-04-26. My thanks to Marc for his prompt responses and
valuable assistance.

This is a similar attack vector to CVE-2003-0063, CVE-2008-2383,
and CVE-2010-2713.

rxvt-unicode supports the xterm OSC escape sequences[2] to read, write and
delete the X properties of the terminal window. This function is in the
group of OSC escapes which allow read/write access to the icon name and
window title, however read access to those is allowed only with the
"-insecure" command line option. The update in 9.20 makes "-insecure"
a requirement for read access to the window properties also.

This OSC feature was added to rxvt-unicode-2.7, so I believe it affects all
versions from 2.7 to 9.19 inclusive. (I have confirmed it present in version
3.0, prior to that parts of the code are not supported by a contemporary
g++ .)

Arbitrary window properties can be written, and arbitrary properties can
be read, placing the contents in the terminal input buffer, as is the
convention. From a bash prompt in urxvt (9.19):

    $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";
    ^[]3;urxvt^G
    $'\E]3;urxvt'

It follows that arbitrary command sequences can be constructed using this,
and unintentionally executed if used in conjunction with various other
escape sequences.

Regards,
 Conor.

[1] http://dist.schmorp.de/rxvt-unicode/Changes
[2] http://invisible-island.net/xterm/ctlseqs/ctlseqs.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.