Bug#384593: xterm: allowWindowOps should be disabled by default
On Fri, Aug 25, 2006 at 12:04:10PM +0200, Samuel Thibault wrote: > There are some concerns with the window operations that XTerm > emulates. CSI 21t (report window title) in particular, because since OSC > 0/1/2 ST let you decide of the window title, one can decide what CSI 21t > returns, which might then be read by the user's shell as a command to > execute. The "xterm-security" attached file is an example of how this > might be exploited: just "cat" it from any shell running in uxterm or > xterm, ls gets executed. Incidentally, I believe this is (or was) a regression: something like ten years ago, I went through all xterm sequences to see if some could be exploited in the way you describe, and I came to the conclusion, at the time, that the window title channel was not exploitable (probably because xterm sanitized the contents in some way), so I'm surprised to find this creeping up now. But maybe it was a different race of xterm (like, Solaris OpenWindows, pre-X11R6), and I'm a little lost in the pedigree of this program. Maybe my memory serves me badly: I also seem to recall that one potentially exploitable functionality of xterm was some way of redefining keys to arbitrary character sequences - apparently either this is now gone or perhaps I dreamed the whole thing up. Sorry for ranting. :-) -- David A. Madore ([EMAIL PROTECTED], http://www.madore.org/~david/ ) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384593: xterm: allowWindowOps should be disabled by default
Thomas Dickey, le Tue 05 Sep 2006 07:12:51 -0400, a écrit : > On Tue, Sep 05, 2006 at 12:00:14PM +0200, Samuel Thibault wrote: > > tags 384593 + fixed-upstream > > thanks > > > > This got fixed upstream in version 218. > > The #218 fix wasn't for the app-defaults setting, but to fix the bug that > you reported with regard to non-printing characters. Yes, and this fixes the eventual security issue that I raised. > While testing this, I did notice that not all of the terminal emulators > in Debian had eliminated the title-response string which is addressed by > the allowWindowOps resource. Oh ? I tested a lot of them, and couldn't find any that provides it. Samuel
Bug#384593: xterm: allowWindowOps should be disabled by default
On Tue, Sep 05, 2006 at 12:00:14PM +0200, Samuel Thibault wrote: > tags 384593 + fixed-upstream > thanks > > This got fixed upstream in version 218. hmm - no. I implied that you should get the Debian package changed. Current upstream is #219, btw. -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net pgpBz7QQXyzUM.pgp Description: PGP signature
Bug#384593: xterm: allowWindowOps should be disabled by default
On Tue, Sep 05, 2006 at 12:00:14PM +0200, Samuel Thibault wrote: > tags 384593 + fixed-upstream > thanks > > This got fixed upstream in version 218. The #218 fix wasn't for the app-defaults setting, but to fix the bug that you reported with regard to non-printing characters. While testing this, I did notice that not all of the terminal emulators in Debian had eliminated the title-response string which is addressed by the allowWindowOps resource. I'm reluctant to change the default resource value since (without a solid policy enforced for _all_ terminal emulators), it only would add to the bug reports that I have to deal with. -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net pgptzuXnSg5so.pgp Description: PGP signature
Bug#384593: xterm: allowWindowOps should be disabled by default
tags 384593 + fixed-upstream thanks This got fixed upstream in version 218. Samuel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384593: xterm: allowWindowOps should be disabled by default
Package: xterm Version: 210-3 Severity: grave Tags: security patch Justification: user security hole Hi, There are some concerns with the window operations that XTerm emulates. CSI 21t (report window title) in particular, because since OSC 0/1/2 ST let you decide of the window title, one can decide what CSI 21t returns, which might then be read by the user's shell as a command to execute. The "xterm-security" attached file is an example of how this might be exploited: just "cat" it from any shell running in uxterm or xterm, ls gets executed. I know, "people should be capable of using a pager to view log-files." But people are not necessarily aware that displaying a mere file in a terminal might have such nefarious effect. So I'm wondering whether it might be preferable to disable allowWindowOps by default (the proposed patch does this), or at least add a new resource (disabled by default) for selectively enabling CSI 21t if the user really wants it. Another possibility would be to disable \n in titles that are accepted, but that doesn't prevent other possible attacks. Note: among other x terminal emulators, I haven't found any other that implement CSI 21t, so only xterm seems to need patching. Samuel -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages xterm depends on: ii libc6 2.3.6-15 GNU C Library: Shared libraries ii libfontconfig12.3.2-7generic font configuration library ii libice6 1:1.0.0-3 X11 Inter-Client Exchange library ii libncurses5 5.5-2 Shared libraries for terminal hand ii libsm61:1.0.0-4 X11 Session Management library ii libx11-6 2:1.0.0-8 X11 client-side library ii libxaw7 1:1.0.1-5 X11 Athena Widget library ii libxext6 1:1.0.0-4 X11 miscellaneous extension librar ii libxft2 2.1.8.2-8 FreeType-based font drawing librar ii libxmu6 1:1.0.1-3 X11 miscellaneous utility library ii libxt61:1.0.0-5 X11 toolkit intrinsics library ii xbitmaps 1.0.1-2Base X bitmaps Versions of packages xterm recommends: ii xutils1:7.1.ds-1 X Window System utility programs -- no debconf information -- Samuel Thibault <[EMAIL PROTECTED]> What's this script do? unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep Hint for the answer: not everything is computer-oriented. Sometimes you're in a sleeping bag, camping out. (Contributed by Frans van der Zande.) diff -ur xterm-210-debian/XTerm.ad xterm-210/XTerm.ad --- xterm-210-debian/XTerm.ad 2006-03-13 02:27:57.0 +0100 +++ xterm-210/XTerm.ad 2006-08-25 11:38:40.0 +0200 @@ -186,3 +186,5 @@ ! ! Alternatively, !*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./[EMAIL PROTECTED]|(%[[:xdigit:]][[:xdigit:]]))+ + +*allowWindowOps: false xterm-security Description: Binary data