Headline
CVE-2022-41138: arbitrary code execution via DECRQSS (like CVE-2008-2383)
In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution.
Description Carter Sande 2022-09-04 20:32:34 UTC
Created attachment 803227 [details] POC text file (runs “cat /etc/passwd” when displayed in Zutty)
x11-terms/zutty contains a vulnerability which allows arbitrary commands to be run by an attacker who can cause output to be sent to the terminal. Specifically, they can include newlines in an invalid DECRQSS command and Zutty will send those newlines (along with any command included) back to the shell. This vulnerability very closely resembles CVE-2008-2383 in xterm.
I have confirmed this vulnerability exists in x11-terms/zutty-0.12 in Gentoo, and I suspect it exists in all versions since 0.2 (when the code to handle DECRQSS was added).
I have not reported this issue to upstream, as I was unable to find a private method of contact. I would appreciate any help the Gentoo Security team can provide in responsibly disclosing/fixing the issue.
Comment 2 Carter Sande 2022-09-04 20:40:02 UTC
(In reply to Sam James from comment #1) > Thanks. Could you try emailing Tom Szilagyi <[email protected]>?
Sure thing, I’ve emailed him and will update this bug once I get a response.
Comment 4 Carter Sande 2022-09-05 07:25:40 UTC
I talked to Tom Szilagyi via email. He hopes to have a fix for the vulnerability out by the end of the week.
Related news
An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.
Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.
SwiftTerm is a Xterm/VT100 Terminal emulator. Prior to commit a94e6b24d24ce9680ad79884992e1dff8e150a31, an attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Version a94e6b24d24ce9680ad79884992e1dff8e150a31 contains a patch for this issue. There are no known workarounds available.
Gentoo Linux Security Advisory 202209-25 - A vulnerability has been discovered in Zutty which could allow for arbitrary code execution. Versions less than 0.13 are affected.
CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.