Vulnerabilities > CVE-2006-7236 - Configuration vulnerability in Invisible-Island Xterm NIL

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
invisible-island
CWE-16
nessus
exploit available

Summary

The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.

Vulnerable Configurations

Part Description Count
Application
Invisible-Island
1
OS
Debian
1
OS
Ubuntu
1

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionxterm DECRQSS Remote Command Execution Vulnerability. CVE-2006-7236 . Remote exploit for linux platform
idEDB-ID:32690
last seen2016-02-03
modified2008-12-29
published2008-12-29
reporterPaul Szabo
sourcehttps://www.exploit-db.com/download/32690/
titlexterm DECRQSS Remote Command Execution Vulnerability

Nessus

NASL familyUbuntu Local Security Checks
NASL idUBUNTU_USN-703-1.NASL
descriptionPaul Szabo discovered that the DECRQSS escape sequences were not handled correctly by xterm. Additionally, window title operations were also not safely handled. If a user were tricked into viewing a specially crafted series of characters while in xterm, a remote attacker could execute arbitrary commands with user privileges. (CVE-2006-7236, CVE-2008-2382). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen2020-06-01
modified2020-06-02
plugin id37162
published2009-04-23
reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/37162
titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : xterm vulnerabilities (USN-703-1)

Statements

contributorTomas Hoger
lastmodified2009-01-21
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of the xterm package, as shipped with Red Hat Enterprise Linux 3, 4, and 5, and the version of the XFree86 (providing xterm) and hanterm-xf packages, as shipped with Red Hat Enterprise Linux 2.1.