Re: CVE request: Escape Sequence Command Execution vulnerability in Terminology 0.7

[Nicolas Braud-Santoni <nicolas () braud-santoni eu>]

PS: Ascii-art lovers might prefer the enclosed exploit,
    which we wrote for our infosec lecture in Winter 2015
    at Graz University of Technology.

On Fri, Nov 04, 2016 at 05:59:59PM +0100, Nicolas Braud-Santoni wrote:
> Hi,
>
> Terminology 0.7.0 suffers from a bug similar to CVE-2003-0063, where an
> attacker able to print character escape sequences can modify the window
> title and then insert it back in the terminal's input buffer, resulting
> in arbitrary terminal input, including code execution as a local user.
>
> A concrete attack scenario can work as follows: the attacker gets a
> string triggering the vulnerability into a log file (or any other thing
> that eventually gets displayed to the user).  When it is, at some later
> point, displayed to the user, "echo 'evil'\n" gets written to the user's
> terminal's input buffer, resulting in that command being executed by the
> user's shell.
>
> For example:
>
> > printf "\e]2;echo 'evil'\n\a\e]2;?\a"
>
>
> The issue was fixed in Terminology by
> commit b80bedc7c21ecffe99d8d142930db696eebdd6a5 :
>
>   https://git.enlightenment.org/apps/terminology.git/commit/?id=b80bedc7c21ecffe99d8d142930db696eebdd6a5
>
> I would like to apply for a CVE number for this issue,
> on behalf of the Debian security team.
>
>
> Best regards,
>
>   Nicolas Braud-Santoni

Attachment: Makefile
Description:

Attachment: marvin.txt
Description:

Attachment: terminalbug.S
Description:

Attachment: signature.asc
Description: