Vulnerabilities > CVE-2003-0023 - Unspecified vulnerability in Rxvt
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-034.NASL description Digital Defense Inc. released a paper detailing insecurities in various terminal emulators, including rxvt. Many of the features supported by these programs can be abused when untrusted data is displayed on the screen. This abuse can be anything from garbage data being displayed to the screen or a system compromise. last seen 2020-06-01 modified 2020-06-02 plugin id 14018 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14018 title Mandrake Linux Security Advisory : rxvt (MDKSA-2003:034) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:034. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14018); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0022", "CVE-2003-0023", "CVE-2003-0066"); script_xref(name:"MDKSA", value:"2003:034"); script_name(english:"Mandrake Linux Security Advisory : rxvt (MDKSA-2003:034)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Digital Defense Inc. released a paper detailing insecurities in various terminal emulators, including rxvt. Many of the features supported by these programs can be abused when untrusted data is displayed on the screen. This abuse can be anything from garbage data being displayed to the screen or a system compromise." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=104612710031920&w=2" ); script_set_attribute( attribute:"solution", value:"Update the affected rxvt, rxvt-CJK and / or rxvt-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt-CJK"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-055.NASL description Updated rxvt packages are available which fix a number of vulnerabilities in the handling of escape sequences. [Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES and Red Hat Enterprise Linux WS Rxvt is a color VT102 terminal emulator for the X Window System. A number of issues have been found in the escape sequence handling of Rxvt. These could be potentially exploited if an attacker can cause carefully crafted escape sequences to be displayed on an rxvt terminal being used by their victim. One of the features which most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants, including rxvt, also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. Since it is not possible to embed a carriage return into the window title itself, the attacker would have to convince the victim to press the Enter key for the title to be processed as a command, although the attacker can perform a number of actions to increase the likelihood of this happening. A certain escape sequence when displayed in rxvt will create an arbitrary file. It is possible to add malicious items to the dynamic menus through an escape sequence. Users of Rxvt are advised to upgrade to these errata packages which contain a patch to disable the title reporting functionality and patches to correct the other issues. Red Hat would like to thank H D Moore for bringing these issues to our attention. last seen 2020-06-01 modified 2020-06-02 plugin id 12365 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12365 title RHEL 2.1 : rxvt (RHSA-2003:055)
Redhat
| advisories |
|
References
- http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
- http://marc.info/?l=bugtraq&m=104612710031920&w=2
- http://www.iss.net/security_center/static/11416.php
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:034
- http://www.redhat.com/support/errata/RHSA-2003-054.html
- http://www.redhat.com/support/errata/RHSA-2003-055.html
- http://www.securityfocus.com/bid/6947