Multiple vendor terminal emulator screen dump file overwrite

terminal-emulator-screen-dump (11413)

Medium Risk

Description:

Multiple vendor terminal emulator software packages, including Eterm could allow a remote or local attacker to overwrite arbitrary files, caused by improper handling of escape sequences when using the "screen dump" feature. Escape sequences are a series of characters that begin with the ASCII (0x1B) sequence and are followed by a series of arguments. If an attacker creates a file containing specially-crafted escape sequences, and then the terminal emulator user opens that file, the attacker could cause the targeted file to be overwritten with the contents of the terminal emulator window.

Platforms Affected:

• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• Michael Jennings, Eterm 0.9.1 and prior
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux Advanced Workstation 2.1 Itanium
• rxvt, rxvt 2.7.8

Remedy:

For Eterm:
Upgrade to the latest version of Eterm (0.9.2 or later), available from the Eterm Web site. See References.

For Gentoo Linux containing the eterm package:
Upgrade versions x11-terms/eterm (0.9.2-r3 or later), as listed in Gentoo Linux Security Announcement 200303-1. See References.

For Gentoo Linux containing the rxvt package:
Upgrade to the latest version of rxvt (2.7.8-r6 or later), as listed in Gentoo Linux Security Announcement 200303-16. See References.

For Red Hat Linux:
Upgrade to the latest rxvt package, as listed below. Refer to RHSA-2003:054-07 for more information. See References.

Red Hat 6.2: 2.7.8-3.6.2.1 or later
Red Hat 7.0: 2.7.8-3.7.0.1 or later
Red Hat 7.1: 2.7.8-3.7.1.1 or later
Red Hat 7.2 and 7.3: 2.7.8-4 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

• BugTraq Mailing List, Mon Feb 24 2003 - 20:09:39 CST , Re: Terminal Emulator Security Issues at http://archives.neohapsis.com/archives/bugtraq/2003-02/0323.html.
• Eterm Web site, Eterm.Org at http://www.eterm.org/.
• Gentoo Linux Security Announcement 200303-1, dangerous interception of escape sequences at http://www.linuxsecurity.com/content/view/104657/104/.
• Gentoo Linux Security Announcement 200303-16, rxvt multiple vulnerabilities at http://www.linuxsecurity.com/content/view/104759/104/.
• VulnWatch Mailing List, Mon Feb 24 2003 - 15:02:52 CST , Terminal Emulator Security Issues at http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html.
• BID-6936: Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability
• BID-6938: RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability
• BID-9930: Apache Error Log Escape Sequence Injection Vulnerability
• CVE-2003-0021: The screen dump feature in Eterm 0.9.1 and earlier allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence.
• CVE-2003-0022: The screen dump feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence.
• MDKSA-2003:034: Updated rxvt packages fix escape sequence insecurities
• MDKSA-2003:034-1: Updated rxvt packages fix escape sequence insecurities
• MDKSA-2003:040: Updated Eterm packages fix escape sequence insecurities
• RHSA-2003-054: Updated rxvt packages fix various vulnerabilites
• RHSA-2003-055: rxvt security update

Reported:

Feb 24, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page