Multiple Vendor xterm (and derivatives) Denial of Service Vulnerability
BID:1298
Info
Multiple Vendor xterm (and derivatives) Denial of Service Vulnerability
| Bugtraq ID: | 1298 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: |
CVE-2000-0476 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 01 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | First posted to BugTraq by Kit Knox <[email protected]> on May 31, 2000. |
| Vulnerable: |
XFree86 X11R6 4.0 XFree86 X11R6 3.3.3 Simon Tatham PuTTY 0.48 rxvt rxvt 2.6.1 Michael Jennings Eterm 0.8.10 |
| Not Vulnerable: |
VanDyke SecureCRT 3.0 Sun Solaris 8_sparc Sun OpenWindows 3.0 Simon Tatham PuTTY 0.49 HP HP-UX 11.0 4 |
Discussion
Multiple Vendor xterm (and derivatives) Denial of Service Vulnerability
xterm is a popular X11-based terminal emulator. If VT control-characters are displayed in the xterm, they can be interpreted and used to cause a denial of service attack against the client (and even the host running the client). What makes it possible for remote users to exploit this vulnerability is a situation like this:
An admin is tailing the http access log
Attacker requests url with control characters in it
Admin's xterm crashes
This vulnerability also affects applications (such as other terminal emulators) derived from xterm code.
xterm is a popular X11-based terminal emulator. If VT control-characters are displayed in the xterm, they can be interpreted and used to cause a denial of service attack against the client (and even the host running the client). What makes it possible for remote users to exploit this vulnerability is a situation like this:
An admin is tailing the http access log
Attacker requests url with control characters in it
Admin's xterm crashes
This vulnerability also affects applications (such as other terminal emulators) derived from xterm code.
Exploit / POC
Multiple Vendor xterm (and derivatives) Denial of Service Vulnerability
It was reported on BugTraq (June 4, 2000 by Sebastian Hans <[email protected]>) that substituting 65536 for 65535 may be necessary with some configurations: sprintf(packet, "GET /\033[4;65535;65535t HTTP/1.0\n\n");
It was reported on BugTraq (June 4, 2000 by Sebastian Hans <[email protected]>) that substituting 65536 for 65535 may be necessary with some configurations: sprintf(packet, "GET /\033[4;65535;65535t HTTP/1.0\n\n");
Solution / Fix
Multiple Vendor xterm (and derivatives) Denial of Service Vulnerability
Solution:
Michael Jennings released the following patches for Eterm:
Index: src/command.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/command.c,v
retrieving revision 1.1.1.1.2.7
diff -u -r1.1.1.1.2.7 command.c
--- src/command.c 1999/11/02 16:34:35 1.1.1.1.2.7
+++ src/command.c 2000/06/02 02:06:56
@@ -4694,6 +4694,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > scr->width || y > scr->height) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent, x, y);
break;
case 5:
@@ -4713,6 +4716,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > (scr->width / TermWin.fwidth) || y > (scr->height / TermWin.fheight)) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_visible()? scrollbar_total_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder + (menubar_visible()? menuBar_TotalHeight() : 0));
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Eterm-0.9-DoS.patch"
Index: src/term.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/term.c,v
retrieving revision 1.33
diff -u -r1.33 term.c
--- src/term.c 2000/01/17 21:29:27 1.33
+++ src/term.c 2000/06/02 02:06:44
@@ -1232,6 +1232,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height);
+ UPPER_BOUND(x, scr->width);
XResizeWindow(Xdisplay, TermWin.parent, x, y);
#ifdef USE_XIM
xim_set_status_position();
@@ -1254,6 +1256,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height / TermWin.fheight);
+ UPPER_BOUND(x, scr->width / TermWin.fwidth);
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_is_visible()? scrollbar_trough_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder);
--RpDyejMaDGJhP2PU--
Simon Tatham PuTTY 0.48
Solution:
Michael Jennings released the following patches for Eterm:
Index: src/command.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/command.c,v
retrieving revision 1.1.1.1.2.7
diff -u -r1.1.1.1.2.7 command.c
--- src/command.c 1999/11/02 16:34:35 1.1.1.1.2.7
+++ src/command.c 2000/06/02 02:06:56
@@ -4694,6 +4694,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > scr->width || y > scr->height) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent, x, y);
break;
case 5:
@@ -4713,6 +4716,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > (scr->width / TermWin.fwidth) || y > (scr->height / TermWin.fheight)) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_visible()? scrollbar_total_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder + (menubar_visible()? menuBar_TotalHeight() : 0));
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Eterm-0.9-DoS.patch"
Index: src/term.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/term.c,v
retrieving revision 1.33
diff -u -r1.33 term.c
--- src/term.c 2000/01/17 21:29:27 1.33
+++ src/term.c 2000/06/02 02:06:44
@@ -1232,6 +1232,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height);
+ UPPER_BOUND(x, scr->width);
XResizeWindow(Xdisplay, TermWin.parent, x, y);
#ifdef USE_XIM
xim_set_status_position();
@@ -1254,6 +1256,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height / TermWin.fheight);
+ UPPER_BOUND(x, scr->width / TermWin.fwidth);
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_is_visible()? scrollbar_trough_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder);
--RpDyejMaDGJhP2PU--
Simon Tatham PuTTY 0.48
-
Simon Tatham putty-dos.patch
http://www.securityfocus.com/data/vulnerabilities/patches/putty-dos.pa tch
References
Multiple Vendor xterm (and derivatives) Denial of Service Vulnerability
References:
References: