Xterm terminal emulator executes injected commands
Attackers can use a vulnerability in xterm, the terminal emulator for the X Window system, to execute their commands when the user views a file with a particular escape sequence. To be a victim, the user must display a prepared file with the DECQRSS escape sequence embedded in it. One way to test for the vulnerability is to create a file
perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log
and then display the resulting bla.log
file with cat bla.log
. If vulnerable, the whoami
command will be executed.
Paul Szabo, who discovered the problem, reported that he had been able to invoke the problem by leaving an appropriately crafted entry in the syslog file. Later, when the root user views the file in the course of checking system logs, the sequence is triggered and executes commands as root.
The escape sequence could be delivered by other means too, such as sending an email message to a victim.
Debian and Ubuntu have already released patches to close the hole, and an official patch has been released. The Ubuntu update also addresses another problem with xterm where window title operations were not safely handled. The Debian update goes further, disabling the ability for escape sequences to change font, set user-defined keys and modify X properties.
See Also:
- xterm: DECRQSS and comments, bug report by Paul Szabo
(djwm)