[29123] in bugtraq
Re: Terminal Emulator Security Issues
daemon@ATHENA.MIT.EDU (Michael Jennings)
Mon Mar 3 13:06:31 2003
Date: Sun, 2 Mar 2003 16:37:12 -0500
From: Michael Jennings <mej@eterm.org>
To: bugtraq@securityfocus.com
Message-ID: <20030302213711.GC27459@kainx.org>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030225172838.GA8584@kainx.org>
> > Would stripping escape sequences from the window title work? Do you
> > know of any applications that actually use this feature?
>
> ...snip...
>
> (Incidentally, I was unable to embed any such sequences in the
> title/icon name in 0.9.2 anyway...but I didn't try for very long, so
> I may have missed something.)
After further investigation, I'd like to point out the following:
Eterm has *never* allowed any control characters in its title/icon
name sequences. The following bit of code has existed at least since
Eterm was first committed to CVS:
else if (ch < ' ')
return; /* control character - exit */
in term.c::process_xterm_seq(), line 1270 or so.
So there was never any way to get escape sequences in the title to
begin with, meaning that the command cannot be hidden using any
character attributes or background/foreground color matching.
Furthermore, the title which is printed via the \e[21t sequence is
limited to just under 1024 characters, which is not enough to cause
the command to scroll off the screen on any but the smallest of
terminals.
Thus, the following footnote from the original report applies to Eterm
as well:
[1] Although putty would place the title onto the command-line, we
were not able to find a method of hiding the command, since
neither the "invisible" character attribute nor the foreground
color could be set. Putty has a relatively low limit to the number
of characters that can be placed into the window title, so it is
not possible to simply flood the screen with garbage and hope the
command rolls past the current view.
Having said all that, it would seem that Eterm 0.9.2 is not vulnerable
to ANY of the issues mentioned in this report. As such, all
distributions shipping older versions of Eterm should be safe after
upgrading to 0.9.2. To that end, Eterm source and RPM packages are
available for download at http://www.eterm.org/download/ for any
vendor/user with 0.9.1 or earlier.
Hope that clears everything up. :-)
Regards,
Michael
--
Michael Jennings (a.k.a. KainX) http://www.kainx.org/ <mej@kainx.org>
n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org)
-----------------------------------------------------------------------
"By the time they had diminished from 50 to 8, the other dwarves
began to suspect 'Hungry' ..." -- Gary Larson, "The Far Side"
