Bugtraq mailing list archives
Re: [rootshell.com] Xterm DoS Attack
From: anakin () POBOX COM (Simon Tatham)
Date: Tue, 6 Jun 2000 10:28:28 +0100
wakko () WTOWER COM writes: [xterm DoS through terminal-size sequences]
This breaks PuTTY [a Win32 SSH client] as well.
Yesterday I checked in a fix to the PuTTY master CVS repository, and last night's automated build ran successfully. This morning's PuTTY development snapshot appears to be OK. I wasn't able to reproduce the exploit using the same escape sequence as in the xterm-destroying example code; on the other hand, PuTTY was vulnerable to other sequences in the same spirit. Philosophically, I have a hard time seeing this as a bug in any given terminal emulator. There _should_ be a way for a (trusted) app running in a terminal emulator to request window size changes and other such things; it's very useful. And in the absence of separated control and data streams within a terminal session (in which case one could allow `cat' unrestricted access to the data stream and it would not be able to DoS by injecting malice into the control stream), the whole terminal session must be considered to be the control stream, and vulnerable. Don't `cat' untrusted files. (Of course, APC in MS-Kermit is possibly the worst exploit of this type I've _ever_ seen. With a well-chosen escape sequence you could direct the MS-Kermit program to run arbitrary commands on its host machine...) Anyway. Current development snapshots of PuTTY are now believed robust. A 0.49 release containing the fix will be coming out RSN, since security is the one thing that really makes me get off my butt and put new releases out _quickly_ :-) The patch is quoted below. ---------- begin patch ---------- Index: src/putty/terminal.c =================================================================== RCS file: /home/cvs/putty/terminal.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- src/putty/terminal.c 2000/03/17 10:46:59 1.18 +++ src/putty/terminal.c 2000/06/05 16:33:58 1.19 @@ -1209,7 +1209,11 @@ */ compatibility(VT340TEXT); if (esc_nargs<=1 && (esc_args[0]<1 || esc_args[0]>=24)) { - request_resize (cols, def(esc_args[0], 24), 0); + unsigned int newrows = def(esc_args[0], 24); + /* Hack: prevent big-resize DoS attack. */ + if (newrows > max(512, cfg.height)) + newrows = max(512, cfg.height); + request_resize (cols, newrows, 0); deselect(); } break; @@ -1221,7 +1225,11 @@ */ compatibility(VT420); if (esc_nargs==1 && esc_args[0]>=24) { - request_resize (cols, def(esc_args[0], cfg.height), 0); + unsigned int newrows = def(esc_args[0], cfg.height); + /* Hack: prevent big-resize DoS attack. */ + if (newrows > max(512, cfg.height)) + newrows = max(512, cfg.height); + request_resize (cols, newrows, 0); deselect(); } break; @@ -1232,7 +1240,11 @@ */ compatibility(VT340TEXT); if (esc_nargs<=1) { - request_resize (cols, def(esc_args[0], cfg.width), 0); + unsigned int newcols = def(esc_args[0], cfg.width); + /* Hack: prevent big-resize DoS attack. */ + if (newcols > max(512, cfg.width)) + newcols = max(512, cfg.width); + request_resize (newcols, rows, 0); deselect(); } break; ----------- end patch ----------- Cheers, Simon -- Simon Tatham "infinite loop _see_ loop, infinite" <anakin () pobox com> - Index, Borland Pascal Language Guide
Current thread:
- Re: [rootshell.com] Xterm DoS Attack Hans, Sebastian (Jun 04)
- Security Update: serious bug in setuid() Technical Support (Jun 08)
- Security Bulletins Digest Aleph One (Jun 08)
- Internet Security Systems Security Advisory: Buffer Overflow in i-drive Filo (tm) software Aleph One (Jun 08)
- Re: [rootshell.com] Xterm DoS Attack Elias Levy (Jun 08)
- <Possible follow-ups>
- Re: [rootshell.com] Xterm DoS Attack Simon Tatham (Jun 06)
- Re: [rootshell.com] Xterm DoS Attack Michael Jennings (Jun 08)