Re: Terminal escape sequences - the new XSS for admins?

[Stephane Chazelas <stephane.chazelas () gmail com>]

2015-08-11 16:29:04 -0400, Steve Grubb:
[....]
> A lot were based on the vte package. So, I dug into the vte package. In the 
> file, vteseq.c, is this:
>
>                 case 21:
>                         /* Report a static window title, since the real
>                            window title should NEVER be reported, as it
>                            creates a security vulnerability.  See
>                            http://marc.info/?l=bugtraq&m=104612710031920&w=2
>                            and CVE-2003-0070. */
>                         _vte_debug_print(VTE_DEBUG_PARSE,
>                                         "Reporting fake window title.\n");
>                         /* never use terminal->window_title here! */
>                         g_snprintf (buf, sizeof (buf),
>                                     _VTE_CAP_OSC "lTerminal" _VTE_CAP_ST);
>                         vte_terminal_feed_child(terminal, buf, -1);
>                         break;
>
> At this point, I was convinced that most major emulators are safe. That 
> said...there are all the ones I didn't check including older ones. The older 
> ones are likely to be the ones I'd be most concerned about.
[...]

Yes, it's the kind of vulnerabilities that were exploited
decades ago and were fixed then.

Now, the authors of newer ones can forget about them.

terminology has a few dangerous escape sequences (including
reporting window title, but also reading arbitrary files and
sending arbitrary HTTP requests), as discussed at
http://unix.stackexchange.com/questions/213799/can-bash-write-to-its-own-input-stream/213821#comment362700_213805

-- 
Stephane