Vulnerabilities > CVE-2003-0066 - Unspecified vulnerability in Rxvt
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-003.NASL description A vulnerability was discovered by Simon Kelley in the dhcpcd DHCP client daemon. dhcpcd has the ability to execute an external script named dhcpcd-<interface>.exe when an IP address is assigned to that network interface. The script sources the file /var/lib/dhcpcd/dhcpcd-<interface>.info which contains shell variables and DHCP assignment information. The way quotes are handled inside these assignments is flawed, and a malicious DHCP server can execute arbitrary shell commands on the vulnerable DHCP client system. This can also be exploited by an attacker able to spoof DHCP responses. Mandrake Linux packages contain a sample /etc/dhcpc/dhcpcd.exe file and encourages all users to upgrade immediately. Please note that when you do upgrade, you will have to restart the network for the changes to take proper effect by issuing last seen 2020-06-01 modified 2020-06-02 plugin id 13988 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13988 title Mandrake Linux Security Advisory : dhcpcd (MDKSA-2003:003) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:003. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13988); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1403", "CVE-2003-0066"); script_xref(name:"MDKSA", value:"2003:003"); script_name(english:"Mandrake Linux Security Advisory : dhcpcd (MDKSA-2003:003)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered by Simon Kelley in the dhcpcd DHCP client daemon. dhcpcd has the ability to execute an external script named dhcpcd-<interface>.exe when an IP address is assigned to that network interface. The script sources the file /var/lib/dhcpcd/dhcpcd-<interface>.info which contains shell variables and DHCP assignment information. The way quotes are handled inside these assignments is flawed, and a malicious DHCP server can execute arbitrary shell commands on the vulnerable DHCP client system. This can also be exploited by an attacker able to spoof DHCP responses. Mandrake Linux packages contain a sample /etc/dhcpc/dhcpcd.exe file and encourages all users to upgrade immediately. Please note that when you do upgrade, you will have to restart the network for the changes to take proper effect by issuing 'service network restart' as root." ); # http://www.phystech.com/download/dhcdcd_changelog.html script_set_attribute( attribute:"see_also", value:"https://www.helpnetsecurity.com?id=1473" ); script_set_attribute( attribute:"solution", value:"Update the affected dhcpcd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:dhcpcd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-034.NASL description Digital Defense Inc. released a paper detailing insecurities in various terminal emulators, including rxvt. Many of the features supported by these programs can be abused when untrusted data is displayed on the screen. This abuse can be anything from garbage data being displayed to the screen or a system compromise. last seen 2020-06-01 modified 2020-06-02 plugin id 14018 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14018 title Mandrake Linux Security Advisory : rxvt (MDKSA-2003:034) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:034. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14018); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0022", "CVE-2003-0023", "CVE-2003-0066"); script_xref(name:"MDKSA", value:"2003:034"); script_name(english:"Mandrake Linux Security Advisory : rxvt (MDKSA-2003:034)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Digital Defense Inc. released a paper detailing insecurities in various terminal emulators, including rxvt. Many of the features supported by these programs can be abused when untrusted data is displayed on the screen. This abuse can be anything from garbage data being displayed to the screen or a system compromise." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=104612710031920&w=2" ); script_set_attribute( attribute:"solution", value:"Update the affected rxvt, rxvt-CJK and / or rxvt-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt-CJK"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-055.NASL description Updated rxvt packages are available which fix a number of vulnerabilities in the handling of escape sequences. [Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES and Red Hat Enterprise Linux WS Rxvt is a color VT102 terminal emulator for the X Window System. A number of issues have been found in the escape sequence handling of Rxvt. These could be potentially exploited if an attacker can cause carefully crafted escape sequences to be displayed on an rxvt terminal being used by their victim. One of the features which most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants, including rxvt, also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. Since it is not possible to embed a carriage return into the window title itself, the attacker would have to convince the victim to press the Enter key for the title to be processed as a command, although the attacker can perform a number of actions to increase the likelihood of this happening. A certain escape sequence when displayed in rxvt will create an arbitrary file. It is possible to add malicious items to the dynamic menus through an escape sequence. Users of Rxvt are advised to upgrade to these errata packages which contain a patch to disable the title reporting functionality and patches to correct the other issues. Red Hat would like to thank H D Moore for bringing these issues to our attention. last seen 2020-06-01 modified 2020-06-02 plugin id 12365 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12365 title RHEL 2.1 : rxvt (RHSA-2003:055)
Redhat
| advisories |
|
References
- http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
- http://marc.info/?l=bugtraq&m=104612710031920&w=2
- http://www.iss.net/security_center/static/11414.php
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:003
- http://www.redhat.com/support/errata/RHSA-2003-054.html
- http://www.redhat.com/support/errata/RHSA-2003-055.html
- http://www.securityfocus.com/advisories/5137
- http://www.securityfocus.com/bid/6953