[15290] in bugtraq
Re: [rootshell.com] Xterm DoS Attack
daemon@ATHENA.MIT.EDU (Michael Jennings)
Sat Jun 10 03:59:10 2000
Mail-Followup-To: Simon Tatham <anakin@POBOX.COM>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000608134148.G6042@valinux.com>
Date: Thu, 8 Jun 2000 13:41:48 -0700
Reply-To: Michael Jennings <mej@VALINUX.COM>
From: Michael Jennings <mej@VALINUX.COM>
X-To: Simon Tatham <anakin@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E12zFeu-00075I-00@ixion>; from anakin@POBOX.COM on Tue, Jun 06,
2000 at 10:28:28AM +0100
On Tuesday, 06 June 2000, at 10:28:28 (+0100),
Simon Tatham wrote:
> Philosophically, I have a hard time seeing this as a bug in any
> given terminal emulator. There _should_ be a way for a (trusted) app
> running in a terminal emulator to request window size changes and
> other such things; it's very useful.
Absolutely. Disabling the sequence altogether is an improper fix to
the problem. The solution as I implemented it in the newer Eterms was
to limit the resize request based on the screen size. I see very
little point in allowing a terminal window to resize itself larger
than the screen. This was just an arbitrary limit on my part, though;
if you wanted to choose a bit larger than the screen, same
difference. But there should be checks for reasonable values,
especially if you use the larger data types (like a 32- or 64-bit
integer) for the x/y sizes. A 2-billion-by-2-billion terminal window
doesn't make sense for anyone.
> And in the absence of separated control and data streams within a
> terminal session (in which case one could allow `cat' unrestricted
> access to the data stream and it would not be able to DoS by
> injecting malice into the control stream), the whole terminal
> session must be considered to be the control stream, and
> vulnerable. Don't `cat' untrusted files.
Unfortunately, the vulnerability extends well beyond simply "cat".
Theoretically it may be possible as a local user (or even a remote
one?) to cause such strings to be injected into the syslog/messages
file, which many sysadmins keep a running tail on. You've also got to
consider e-mail, which is often read through terminal clients. Then
there's IRC and other chat networks. Talk daemon requests (remember
flash?). Web pages viewed by lynx or other text-based browsers. The
list goes on....
Michael
--
"Some mornings, it's just not worth chewing through the leather
straps." -- Emo Phillips
=======================================================================
Michael Jennings <mej@eterm.org> www.tcserv.com PGP Key ID: BED09971
Software Engineer, VA Linux Systems Author, Eterm (www.eterm.org)
