Vulnerabilities > CVE-2003-0066 - Unspecified vulnerability in Rxvt

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
rxvt
nessus

Summary

The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-003.NASL
    descriptionA vulnerability was discovered by Simon Kelley in the dhcpcd DHCP client daemon. dhcpcd has the ability to execute an external script named dhcpcd-<interface>.exe when an IP address is assigned to that network interface. The script sources the file /var/lib/dhcpcd/dhcpcd-<interface>.info which contains shell variables and DHCP assignment information. The way quotes are handled inside these assignments is flawed, and a malicious DHCP server can execute arbitrary shell commands on the vulnerable DHCP client system. This can also be exploited by an attacker able to spoof DHCP responses. Mandrake Linux packages contain a sample /etc/dhcpc/dhcpcd.exe file and encourages all users to upgrade immediately. Please note that when you do upgrade, you will have to restart the network for the changes to take proper effect by issuing
    last seen2020-06-01
    modified2020-06-02
    plugin id13988
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13988
    titleMandrake Linux Security Advisory : dhcpcd (MDKSA-2003:003)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:003. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13988);
      script_version ("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-1403", "CVE-2003-0066");
      script_xref(name:"MDKSA", value:"2003:003");
    
      script_name(english:"Mandrake Linux Security Advisory : dhcpcd (MDKSA-2003:003)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered by Simon Kelley in the dhcpcd DHCP
    client daemon. dhcpcd has the ability to execute an external script
    named dhcpcd-<interface>.exe when an IP address is assigned to that
    network interface. The script sources the file
    /var/lib/dhcpcd/dhcpcd-<interface>.info which contains shell variables
    and DHCP assignment information. The way quotes are handled inside
    these assignments is flawed, and a malicious DHCP server can execute
    arbitrary shell commands on the vulnerable DHCP client system. This
    can also be exploited by an attacker able to spoof DHCP responses.
    
    Mandrake Linux packages contain a sample /etc/dhcpc/dhcpcd.exe file
    and encourages all users to upgrade immediately. Please note that when
    you do upgrade, you will have to restart the network for the changes
    to take proper effect by issuing 'service network restart' as root."
      );
      # http://www.phystech.com/download/dhcdcd_changelog.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.helpnetsecurity.com?id=1473"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected dhcpcd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:dhcpcd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/01/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"dhcpcd-1.3.22pl4-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-034.NASL
    descriptionDigital Defense Inc. released a paper detailing insecurities in various terminal emulators, including rxvt. Many of the features supported by these programs can be abused when untrusted data is displayed on the screen. This abuse can be anything from garbage data being displayed to the screen or a system compromise.
    last seen2020-06-01
    modified2020-06-02
    plugin id14018
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14018
    titleMandrake Linux Security Advisory : rxvt (MDKSA-2003:034)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:034. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14018);
      script_version ("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0022", "CVE-2003-0023", "CVE-2003-0066");
      script_xref(name:"MDKSA", value:"2003:034");
    
      script_name(english:"Mandrake Linux Security Advisory : rxvt (MDKSA-2003:034)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Digital Defense Inc. released a paper detailing insecurities in
    various terminal emulators, including rxvt. Many of the features
    supported by these programs can be abused when untrusted data is
    displayed on the screen. This abuse can be anything from garbage data
    being displayed to the screen or a system compromise."
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=104612710031920&w=2"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected rxvt, rxvt-CJK and / or rxvt-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt-CJK");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rxvt-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-2.7.8-6.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-CJK-2.7.8-6.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"rxvt-devel-2.7.8-6.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-055.NASL
    descriptionUpdated rxvt packages are available which fix a number of vulnerabilities in the handling of escape sequences. [Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES and Red Hat Enterprise Linux WS Rxvt is a color VT102 terminal emulator for the X Window System. A number of issues have been found in the escape sequence handling of Rxvt. These could be potentially exploited if an attacker can cause carefully crafted escape sequences to be displayed on an rxvt terminal being used by their victim. One of the features which most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants, including rxvt, also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. Since it is not possible to embed a carriage return into the window title itself, the attacker would have to convince the victim to press the Enter key for the title to be processed as a command, although the attacker can perform a number of actions to increase the likelihood of this happening. A certain escape sequence when displayed in rxvt will create an arbitrary file. It is possible to add malicious items to the dynamic menus through an escape sequence. Users of Rxvt are advised to upgrade to these errata packages which contain a patch to disable the title reporting functionality and patches to correct the other issues. Red Hat would like to thank H D Moore for bringing these issues to our attention.
    last seen2020-06-01
    modified2020-06-02
    plugin id12365
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12365
    titleRHEL 2.1 : rxvt (RHSA-2003:055)

Redhat

advisories
  • rhsa
    idRHSA-2003:054
  • rhsa
    idRHSA-2003:055