'[oss-security] CVE request: rxvt-unicode user-assisted arbitrary commands execution'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: rxvt-unicode user-assisted arbitrary commands execution
From:       Conor McCarthy <mr.spuratic () gmail ! com>
Date:       2014-04-30 10:33:30
Message-ID: CANmXKc4quVKOdVY26Mid-MRQHRwc2yPbd+hUWonhKrj-1pBhOg () mail ! gmail ! com
[Download RAW message or body]

All,
 I would like to request a CVE for the following issue.

rxvt-unicode-9.20 (aka urxvt) includes a security update [1] to address a
user-assisted arbitrary commands execution issue. This can be exploited
by the unprocessed display of certain escape sequences in a crafted text
file or program output.

Vendor/author Marc Lehmann was notified last week, the updated version was
released on 2014-04-26. My thanks to Marc for his prompt responses and
valuable assistance.

This is a similar attack vector to CVE-2003-0063, CVE-2008-2383,
and CVE-2010-2713.

rxvt-unicode supports the xterm OSC escape sequences[2] to read, write and
delete the X properties of the terminal window. This function is in the
group of OSC escapes which allow read/write access to the icon name and
window title, however read access to those is allowed only with the
"-insecure" command line option. The update in 9.20 makes "-insecure"
a requirement for read access to the window properties also.

This OSC feature was added to rxvt-unicode-2.7, so I believe it affects all
versions from 2.7 to 9.19 inclusive. (I have confirmed it present in version
3.0, prior to that parts of the code are not supported by a contemporary
g++ .)

Arbitrary window properties can be written, and arbitrary properties can
be read, placing the contents in the terminal input buffer, as is the
convention. From a bash prompt in urxvt (9.19):

    $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";
    ^[]3;urxvt^G
    $'\E]3;urxvt'

It follows that arbitrary command sequences can be constructed using this,
and unintentionally executed if used in conjunction with various other
escape sequences.

Regards,
 Conor.

[1] http://dist.schmorp.de/rxvt-unicode/Changes
[2] http://invisible-island.net/xterm/ctlseqs/ctlseqs.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic