xterm - DECRQSS Device Control Request Status String DCS $ q Command Execution

vendor:

xterm

by:

Unknown

N/A

CVSS

N/A

Command Execution

CWE

Product Name: xterm

Affected Version From: 222-1etch2

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Not available

CPE: a:xterm:xterm:222-1etch2

Metasploit:

Other Scripts:

Platforms Tested:

2009

xterm – DECRQSS Device Control Request Status String DCS $ q Command Execution

The DECRQSS Device Control Request Status String DCS $ q command in xterm echoes invalid commands, allowing an attacker to run arbitrary commands by including them in the DCS string. This can be exploited by sending a malicious email or by having the DCS string logged in syslog and viewed by a privileged user.

Mitigation:

Update to a version that has this issue fixed.

Source

Exploit-DB raw data:

Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole


DECRQSS Device Control Request Status String "DCS $ q" simply echoes
(responds with) invalid commands. For example,
perl -e 'print "\eP\$q\nbad-command\n\e\\"'
would run bad-command.

Exploitability is the same as for the "window title reporting" issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.

Original:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030

Test:

perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log
cat bla.log

If whoami gets executed you should update. 

# milw0rm.com [2009-01-06]