The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of xterm: command injection via DECRQSS

Synthesis of the vulnerability 

An attacker can invite the victim to display a text file containing a malicious DECRQSS ANSI sequence in order to execute a command on his computer.
Vulnerable systems: Debian, Fedora, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity of this threat: 2/4.
Creation date: 30/12/2008.
Références of this weakness: 254208, 510030, 6790248, BID-33060, CVE-2008-2383, DSA-1694-1, DSA-1694-2, FEDORA-2009-0059, FEDORA-2009-0091, FEDORA-2009-0154, MDVSA-2009:005, RHSA-2009:0018-01, RHSA-2009:0019-01, SSA:2009-069-03, SUSE-SR:2009:002, SUSE-SR:2009:003, VIGILANCE-VUL-8360.

Description of the vulnerability 

ANSI sequences add features to terminals (the ESC pattern is the "escape" character with value 0x1B) :
 - ESC line;column H : move on the screen
 - ESC 33m : change color
 - etc.

Complex sequences are also supported (DCS = Device Control Sequence = "ESC P", ST = String Terminator = "ESC \"):
 - DCS $ q function ST : (DECRQSS) query a parameter (such as the scrolling speed)
 - DCS success $ r result ST : (DECRPSS) return the result
 - etc.

The function indicated in DECRQSS is not filtered before being sent to the terminal. The function name is thus interpreted as a shell command to run.

When the victim displays a text file coming from an untrusted source (such as a log file), its ANSI commands are thus run in his shell.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as Debian, Fedora, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this computer weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability.

Solutions for this threat 

xterm: patch for DECRQSS.
A patch is available in information sources.

Debian: new xterm packages.
New packages are available:
  http://security.debian.org/pool/updates/main/x/xterm/xterm_222-1etch4_*.deb

Fedora: new xterm packages.
New packages are available:
  xterm-238-1.fc8
  xterm-238-1.fc9
  xterm-238-1.fc10

Mandriva: new xterm packages.
New packages are available:
 Mandriva Linux 2008.0: xterm-229-2.1mdv2008.0
 Mandriva Linux 2008.1: xterm-232-1.1mdv2008.1
 Mandriva Linux 2009.0: xterm-236-1.1mdv2009.0
 Corporate 3.0: xterm-184-1.1.C30mdk
 Corporate 4.0: xterm-203-1.1.20060mlcs4

RHEL 2.1: new hanterm-xf packages.
New packages are available:
Red Hat Enterprise Linux version 2.1 : hanterm-xf-2.0.5-5.AS21.2

RHEL 3, 4, 5: new xterm packages.
New packages are available:
Red Hat Enterprise Linux version 3: xterm-179-11.EL3
Red Hat Enterprise Linux version 4: xterm-192-8.el4_7.2
Red Hat Enterprise Linux version 5: xterm-215-5.el5_2.2

Slackware: new xterm packages.
New packages are available:
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/xterm-241-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/xterm-241-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/xterm-241-i486-1_slack12.2.tgz

Solaris: patch for xterm.
A patch is available:
  SPARC Platform
    OpenSolaris : build snv_107
  x86 Platform
    OpenSolaris : build snv_107

SUSE: new boinc-client, xrdp, phpMyAdmin, libnasl, moodle, xrdp, net-snmp, audiofile, XFree86/xterm, amarok, libpng, sudo, avahi packages.
New packages are available.

SUSE: new imlib2, valgrind, kvm, cups, lynx, xterm packages.
New packages are available.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.