In association with heise online

06 January 2009, 11:14

Xterm terminal emulator executes injected commands

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Attackers can use a vulnerability in xterm, the terminal emulator for the X Window system, to execute their commands when the user views a file with a particular escape sequence. To be a victim, the user must display a prepared file with the DECQRSS escape sequence embedded in it. One way to test for the vulnerability is to create a file

perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log

and then display the resulting bla.log file with cat bla.log. If vulnerable, the whoami command will be executed.

Paul Szabo, who discovered the problem, reported that he had been able to invoke the problem by leaving an appropriately crafted entry in the syslog file. Later, when the root user views the file in the course of checking system logs, the sequence is triggered and executes commands as root.

The escape sequence could be delivered by other means too, such as sending an email message to a victim.

Debian and Ubuntu have already released patches to close the hole, and an official patch has been released. The Ubuntu update also addresses another problem with xterm where window title operations were not safely handled. The Debian update goes further, disabling the ability for escape sequences to change font, set user-defined keys and modify X properties.

See Also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit