lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 May 2021 04:38:34 +0300
From: def <>
Subject: Re: [FD] (u)rxvt terminal (+bash) remoteish code execution 0day

Minor clarifications and additional details for the post.

First and foremost, this vulnerability is not technically a zero-day for
rxvt-unicode since the bug has been independently discovered & publicly
discussed at oss-security at least in 2017:

Upstream patched the vulnerability silently back in 2017. According to
rxvt-unicode commit messages and changelog entries, the vulnerability
was considered to have minor "security implications" explaining why it
never was considered critical enough to backport to old Linux distros.
Moreover, the first patched version is rxvt-unicode 9.25 (2021-05-14)
released barely a couple of weeks ago. Therefore, most Linux distros
still ship *unpatched* rxvt-unicode 9.22 (2016-05-14). Yes, 9.23 & 9.24
version numbers do not exist because they were skipped in the upstream.

Nonetheless the exploit remains 0day (i.e., no upstream patch available)
for at least the following rxvt forks and derivatives.

 - rxvt 2.7.10 	(the original rxvt terminal)
 - mrxvt 0.5.4 	(unmaintainen rxvt teminal with tabs)
 - aterm 1.0.1 	(random rxvt-based terminal from Debbie "jessie" repos)
 - eterm 0.9.7 	(Enlightenmenth 

Finally, the vulnerability can be exploited in any context in which the
attacker can plant payload scripts in a subdirectory of CWD and trigger
code execution by writing (unescaped) ANSI escape sequences to stdout or
stderr. Suitable target programs besides `scp` include popular CLI tools
like `unrar` and `busybox tar` as demonstrated in the PoCs here:

Note that GNU tar is not exploitable due to properly escaped filenames.

- def

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists