Re: (u)rxvt terminal (+bash) remoteish code execution 0day

[def <def () huumeet info>]

Minor clarifications and additional details for the post.

First and foremost, this vulnerability is not technically a zero-day for
rxvt-unicode since the bug has been independently discovered & publicly
discussed at oss-security at least in 2017:

    https://www.openwall.com/lists/oss-security/2017/05/01/20

Upstream patched the vulnerability silently back in 2017. According to
rxvt-unicode commit messages and changelog entries, the vulnerability
was considered to have minor "security implications" explaining why it
never was considered critical enough to backport to old Linux distros.
Moreover, the first patched version is rxvt-unicode 9.25 (2021-05-14)
released barely a couple of weeks ago. Therefore, most Linux distros
still ship *unpatched* rxvt-unicode 9.22 (2016-05-14). Yes, 9.23 & 9.24
version numbers do not exist because they were skipped in the upstream.

Nonetheless the exploit remains 0day (i.e., no upstream patch available)
for at least the following rxvt forks and derivatives.

 - rxvt 2.7.10  (the original rxvt terminal)
 - mrxvt 0.5.4  (unmaintainen rxvt teminal with tabs)
 - aterm 1.0.1  (random rxvt-based terminal from Debbie "jessie" repos)
 - eterm 0.9.7  (Enlightenmenth 

Finally, the vulnerability can be exploited in any context in which the
attacker can plant payload scripts in a subdirectory of CWD and trigger
code execution by writing (unescaped) ANSI escape sequences to stdout or
stderr. Suitable target programs besides `scp` include popular CLI tools
like `unrar` and `busybox tar` as demonstrated in the PoCs here:

    https://huumeet.info/~def/rxvt0day/

Note that GNU tar is not exploitable due to properly escaped filenames.

- def

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/