Bug#384593: xterm: allowWindowOps should be disabled by default
On Fri, Aug 25, 2006 at 12:04:10PM +0200, Samuel Thibault wrote:
> There are some concerns with the window operations that XTerm
> emulates. CSI 21t (report window title) in particular, because since OSC
> 0/1/2 ST let you decide of the window title, one can decide what CSI 21t
> returns, which might then be read by the user's shell as a command to
> execute. The "xterm-security" attached file is an example of how this
> might be exploited: just "cat" it from any shell running in uxterm or
> xterm, ls gets executed.
Incidentally, I believe this is (or was) a regression: something like
ten years ago, I went through all xterm sequences to see if some could
be exploited in the way you describe, and I came to the conclusion, at
the time, that the window title channel was not exploitable (probably
because xterm sanitized the contents in some way), so I'm surprised to
find this creeping up now. But maybe it was a different race of xterm
(like, Solaris OpenWindows, pre-X11R6), and I'm a little lost in the
pedigree of this program. Maybe my memory serves me badly: I also
seem to recall that one potentially exploitable functionality of xterm
was some way of redefining keys to arbitrary character sequences -
apparently either this is now gone or perhaps I dreamed the whole
thing up.
Sorry for ranting. :-)
--
David A. Madore
(david.madore@ens.fr,
http://www.madore.org/~david/ )
Reply to: