Re: Terminal Emulator Security Issues

From: Michael Jennings (mejat_private)
Date: Sun Mar 02 2003 - 13:37:12 PST

Next message: Florian Weimer: "Re: sendmail 8.12.8 available"

Previous message: SGI Security Coordinator: "[Full-Disclosure] Mail Header Buffer Overflow In Sendmail"
Next in thread: Kenn Humborg: "RE: Terminal Emulator Security Issues"
Reply: Kenn Humborg: "RE: Terminal Emulator Security Issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Would stripping escape sequences from the window title work? Do you
> > know of any applications that actually use this feature?
> 
> ...snip...
>
> (Incidentally, I was unable to embed any such sequences in the
> title/icon name in 0.9.2 anyway...but I didn't try for very long, so
> I may have missed something.)

After further investigation, I'd like to point out the following:

Eterm has *never* allowed any control characters in its title/icon
name sequences.  The following bit of code has existed at least since
Eterm was first committed to CVS:

                else if (ch < ' ')
                    return;     /* control character - exit */

in term.c::process_xterm_seq(), line 1270 or so.

So there was never any way to get escape sequences in the title to
begin with, meaning that the command cannot be hidden using any
character attributes or background/foreground color matching.

Furthermore, the title which is printed via the \e[21t sequence is
limited to just under 1024 characters, which is not enough to cause
the command to scroll off the screen on any but the smallest of
terminals.

Thus, the following footnote from the original report applies to Eterm
as well:

    [1] Although putty would place the title onto the command-line, we
    were not able to find a method of hiding the command, since
    neither the "invisible" character attribute nor the foreground
    color could be set. Putty has a relatively low limit to the number
    of characters that can be placed into the window title, so it is
    not possible to simply flood the screen with garbage and hope the
    command rolls past the current view.

Having said all that, it would seem that Eterm 0.9.2 is not vulnerable
to ANY of the issues mentioned in this report.  As such, all
distributions shipping older versions of Eterm should be safe after
upgrading to 0.9.2.  To that end, Eterm source and RPM packages are
available for download at http://www.eterm.org/download/ for any
vendor/user with 0.9.1 or earlier.

Hope that clears everything up. :-)

Regards,
Michael

-- 
Michael Jennings (a.k.a. KainX)  http://www.kainx.org/  <mejat_private>
n + 1, Inc., http://www.nplus1.net/       Author, Eterm (www.eterm.org)
-----------------------------------------------------------------------
 "By the time they had diminished from 50 to 8, the other dwarves 
  began to suspect 'Hungry' ..."        -- Gary Larson, "The Far Side"

Next message: Florian Weimer: "Re: sendmail 8.12.8 available"
Previous message: SGI Security Coordinator: "[Full-Disclosure] Mail Header Buffer Overflow In Sendmail"
Next in thread: Kenn Humborg: "RE: Terminal Emulator Security Issues"
Reply: Kenn Humborg: "RE: Terminal Emulator Security Issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 09:39:57 PST