Bugtraq mailing list archives

Re: [rootshell.com] Xterm DoS Attack

From: mej () VALINUX COM (Michael Jennings)
Date: Thu, 8 Jun 2000 13:41:48 -0700


On Tuesday, 06 June 2000, at 10:28:28 (+0100),
Simon Tatham wrote:

Philosophically, I have a hard time seeing this as a bug in any
given terminal emulator. There _should_ be a way for a (trusted) app
running in a terminal emulator to request window size changes and
other such things; it's very useful.


Absolutely.  Disabling the sequence altogether is an improper fix to
the problem.  The solution as I implemented it in the newer Eterms was
to limit the resize request based on the screen size.  I see very
little point in allowing a terminal window to resize itself larger
than the screen.  This was just an arbitrary limit on my part, though;
if you wanted to choose a bit larger than the screen, same
difference.  But there should be checks for reasonable values,
especially if you use the larger data types (like a 32- or 64-bit
integer) for the x/y sizes.  A 2-billion-by-2-billion terminal window
doesn't make sense for anyone.

And in the absence of separated control and data streams within a
terminal session (in which case one could allow `cat' unrestricted
access to the data stream and it would not be able to DoS by
injecting malice into the control stream), the whole terminal
session must be considered to be the control stream, and
vulnerable. Don't `cat' untrusted files.


Unfortunately, the vulnerability extends well beyond simply "cat".
Theoretically it may be possible as a local user (or even a remote
one?) to cause such strings to be injected into the syslog/messages
file, which many sysadmins keep a running tail on.  You've also got to
consider e-mail, which is often read through terminal clients.  Then
there's IRC and other chat networks.  Talk daemon requests (remember
flash?).  Web pages viewed by lynx or other text-based browsers.  The
list goes on....

Michael

--
 "Some mornings, it's just not worth chewing through the leather
  straps."                                             -- Emo Phillips
=======================================================================
Michael Jennings  <mej () eterm org>  www.tcserv.com  PGP Key ID: BED09971
Software Engineer, VA Linux Systems       Author, Eterm (www.eterm.org)

Current thread:

Re: [rootshell.com] Xterm DoS Attack Hans, Sebastian (Jun 04)
- Security Update: serious bug in setuid() Technical Support (Jun 08)
- Security Bulletins Digest Aleph One (Jun 08)
- Internet Security Systems Security Advisory: Buffer Overflow in i-drive Filo (tm) software Aleph One (Jun 08)
- Re: [rootshell.com] Xterm DoS Attack Elias Levy (Jun 08)
- <Possible follow-ups>
- Re: [rootshell.com] Xterm DoS Attack Simon Tatham (Jun 06)
  - Re: [rootshell.com] Xterm DoS Attack Michael Jennings (Jun 08)