Bug#244811: marked as done (CAN-2003-0070 Arbitrary command
execution a.o. via escape sequences)
Debian Bug Tracking System
owner@bugs.debian.org
Fri, 10 Jun 2005 17:48:08 -0700
Your message dated Sat, 11 Jun 2005 02:37:46 +0200
with message-id <87aclxg23p.fsf@Orfeo.duckcorp.org>
and subject line CAN-2003-0070 Arbitrary command execution a.o. via escape sequences
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Apr 2004 03:21:46 +0000
>From jjminar@fastmail.fm Mon Apr 19 20:21:46 2004
Return-path: <jjminar@fastmail.fm>
Received: from ns1.deusystems.com (deusystems.cz) [212.80.75.66]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1BFlpS-0000Js-00; Mon, 19 Apr 2004 20:21:46 -0700
Received: (qmail 4865 invoked from network); 20 Apr 2004 02:25:53 -0000
Received: from unknown (HELO mail.haltyr.bohnice.centrum.czf) (10.10.8.133)
by kerberos.deusystems.com with SMTP; 20 Apr 2004 02:25:53 -0000
Received: by mail.haltyr.bohnice.centrum.czf (Postfix, from userid 1000)
id 7352948C4; Tue, 20 Apr 2004 05:18:50 +0200 (CEST)
Date: Tue, 20 Apr 2004 05:18:50 +0200
From: Jan Minar <jjminar@fastmail.fm>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnome-terminal: Arbitrary command execution a.o. via escape sequences
Message-ID: <20040420031849.GA4062@kontryhel.haltyr.dyndns.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
In-Reply-To: <20040419160851.GA27171@kontryhel.haltyr.dyndns.org>
User-Agent: Mutt/1.3.28i
X-Reportbug-Version: 1.50
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: gnome-terminal
Version: 1.4.0.6-5
Severity: grave
Justification: user security hole
Tags: security
Hi.
I've read this [1]analysis by by H D Moore. No matter how convenient
the escape sequences that allow injecting of arbitrary data as-if typed
by the user might be, they should go, and they should go now.
[1] http://marc.theaimsgroup.com/?l=3D3Dbugtraq&m=3D3D104612710031920&w=3D3=
D2
All the escape sequences that allow characters injection in the user
input i.e. arbitrary command execution after all, should be disabled,
especially those allowing the attacker to inject arbitrary or known
data, i.e. those window-title-reporting and icon-title-reporting ones,
and others.
All other escape sequences that allow the attacker to modify the user
environment should be disabled, too. I'm not sure as which escape
sequences belong to this set.
Please read the abovementioned paper. I will add few remarks:
(1) It's possible to covertly inject arbitrary commands in a shell
command-line, by switching the echoing of characters typed off and on,
letting the user press the <Ret> him-/herself.
(2) There are many applications that allow bang-shell-escape, where
<Ret> is used e.g. for scrolling (less(1), mutt(1)). Although the
dangerous escape sequences might be filtered out [by default], this can
be turned off -- And there *are* no warning signs.
(3) There probably is a way of abusing e.g. the readline(3) macro
ability, obviating the need of <Ret> being included in the payload; in
some environments, some ordinary ASCII character might be mapped to
<Ret> by default, even.
(4) This is a failure to separate the security domains cleanly, by
allowing the intruder to type things with the terminal owner's
privileges. It breaks the security scheme very deeply, and exactly
because of this, ``nobody'' would expect it.
(5) Many observations made about MS Outlook & friends e.g. wrt the
click-me virii apply. But this is even worse than Windows: Here any and
every file may contain executable code, any and every file may carry a
`virus'.
Cheers,
Jan.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2
Versions of packages gnome-terminal depends on:
ii gdk-imlib1 1.9.14-2 Gdk-Imlib is an imaging librar=
y fo
ii gnome-bin 1.4.1.4-3 Miscellaneous binaries used by=
Gno
ii libart2 1.4.1.4-3 The Gnome canvas widget - runt=
ime=20
ii libaudiofile0 0.2.3-4 The Audiofile Library
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libdb3 3.2.9-16 Berkeley v3 Database Libraries=
[ru
ii libesd0 0.2.23-3 Enlightened Sound Daemon - Sha=
red=20
ii libglade-gnome0 1:0.17-2.2 Library to load .glade files a=
t ru
ii libglade0 1:0.17-2.2 Library to load .glade files a=
t ru
ii libglib1.2 1.2.10-4 The GLib library of C routines
ii libgnome32 1.4.1.4-3 The Gnome libraries
ii libgnomesupport0 1.4.1.4-3 The Gnome libraries (Support l=
ibra
ii libgnomeui32 1.4.1.4-3 The Gnome libraries (User Inte=
rfac
ii libgnorba27 1.4.1.4-3 Gnome CORBA services
ii libgtk1.2 1.2.10-11 The GIMP Toolkit set of widget=
s fo
ii libjpeg62 6b-5 The Independent JPEG Group's J=
PEG=20
ii liborbit0 0.5.16-1 Libraries for ORBit - a CORBA =
ORB
ii libpng2 1.0.12-3.woody.3 PNG library - runtime
ii libtiff3g 3.5.5-6 Tag Image File Format library
ii libungif4g 4.1.0b1-2 shared library for GIF images =
(run
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers l=
ibra
ii libxml1 1:1.8.17-2woody1 GNOME XML library
ii libzvt2 1.4.1.4-3 The Gnome zvt (zterm) widget
ii scrollkeeper 0.3.6-3.1 A free electronic cataloging s=
yste
ii xlibs 4.1.0-16woody3 X Window System client librari=
es
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime
--=20
"To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
where this started and I think it goes back to the time I went to the circ=
us,
and a clown killed my dad."
--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAhJaZ+uczK20Fa5cRAuJBAJ9REWkxQpm9eblAzj6WzNQWITR49wCfaz+K
6zfUIG0hoYyb5qu7b9AfyYs=
=SN27
-----END PGP SIGNATURE-----
--qDbXVdCdHGoSgWSk--
---------------------------------------
Received: (at 244811-done) by bugs.debian.org; 11 Jun 2005 00:37:57 +0000
>From Duck@duckcorp.org Fri Jun 10 17:37:57 2005
Return-path: <Duck@duckcorp.org>
Received: from orfeo.duckcorp.org (mx.duckcorp.org) [62.4.21.229] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dgu0b-00045Y-00; Fri, 10 Jun 2005 17:37:57 -0700
Received: from localhost (localhost [127.0.0.1])
by mx.duckcorp.org (Postfix) with ESMTP id 40ECB5000B4
for <244811-done@bugs.debian.org>; Sat, 11 Jun 2005 02:37:56 +0200 (CEST)
Received: from mx.duckcorp.org ([127.0.0.1])
by localhost (Orfeo [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 20763-08 for <244811-done@bugs.debian.org>;
Sat, 11 Jun 2005 02:37:51 +0200 (CEST)
Received: from Orfeo.duckcorp.org (localhost [127.0.0.1])
by mx.duckcorp.org (Postfix) with ESMTP id B446350009A
for <244811-done@bugs.debian.org>; Sat, 11 Jun 2005 02:37:51 +0200 (CEST)
From: =?utf-8?q?Marc_Dequ=C3=A8nes?= (Duck) <Duck@DuckCorp.org>
To: 244811-done@bugs.debian.org
Subject: CAN-2003-0070 Arbitrary command execution a.o. via escape sequences
Organization: DuckCorp
X-URL: https://www.duckcorp.org/
X-GnuPG-Key: 0x90267086
Date: Sat, 11 Jun 2005 02:37:46 +0200
Message-ID: <87aclxg23p.fsf@Orfeo.duckcorp.org>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
X-Virus-Scanned: by Amavis at DuckCorp
Delivered-To: 244811-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Coin,
Obsoleted by Sarge release.
=2D-=20
Marc Dequ=C3=A8nes (Duck)
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBCqjJfsczZcpAmcIYRAtftAKCQVaSa33BF9MaJT67IrzGuAYY9FQCgpKS0
dl199faiEQzWb5qlAXr2hKw=
=nuw+
-----END PGP SIGNATURE-----
--=-=-=--