Vulnerabilities > CVE-2007-3770 - Remote Command Injection vulnerability in Os-Cillation Xfce Terminal 0.2.6
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
PARTIAL Availability impact
NONE Summary
The terminal_helper_execute function in terminal/terminal.c in Xfce Terminal 0.2.6 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a crafted link, as demonstrated using the "Open Link" functionality.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200708-07.NASL description The remote host is affected by the vulnerability described in GLSA-200708-07 (Xfce Terminal: Remote arbitrary code execution) Lasse Karkkainen discovered that the function terminal_helper_execute() in file terminal-helper.c does not properly escape the URIs before processing. Impact : A remote attacker could entice a user to open a specially crafted link, possibly leading to the remote execution of arbitrary code with the privileges of the user running Xfce Terminal. Note that the exploit code depends on the browser used to open the crafted link. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25872 published 2007-08-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25872 title GLSA-200708-07 : Xfce Terminal: Remote arbitrary code execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200708-07. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(25872); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-3770"); script_xref(name:"GLSA", value:"200708-07"); script_name(english:"GLSA-200708-07 : Xfce Terminal: Remote arbitrary code execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200708-07 (Xfce Terminal: Remote arbitrary code execution) Lasse Karkkainen discovered that the function terminal_helper_execute() in file terminal-helper.c does not properly escape the URIs before processing. Impact : A remote attacker could entice a user to open a specially crafted link, possibly leading to the remote execution of arbitrary code with the privileges of the user running Xfce Terminal. Note that the exploit code depends on the browser used to open the crafted link. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200708-07" ); script_set_attribute( attribute:"solution", value: "All Xfce Terminal users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-terms/terminal-0.2.6_p25931'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:terminal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"x11-terms/terminal", unaffected:make_list("ge 0.2.6_p25931"), vulnerable:make_list("lt 0.2.6_p25931"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Xfce Terminal"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-497-1.NASL description Lasse Karkkainen discovered that the Xfce Terminal did not correctly escape shell meta-characters during last seen 2020-06-01 modified 2020-06-02 plugin id 28100 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28100 title Ubuntu 6.06 LTS / 6.10 / 7.04 : xfce4-terminal vulnerability (USN-497-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-497-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(28100); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2007-3770"); script_xref(name:"USN", value:"497-1"); script_name(english:"Ubuntu 6.06 LTS / 6.10 / 7.04 : xfce4-terminal vulnerability (USN-497-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Lasse Karkkainen discovered that the Xfce Terminal did not correctly escape shell meta-characters during 'Open Link' actions. If a remote attacker tricked a user into opening a specially crafted URI, they could execute arbitrary commands with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/497-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected xfce4-terminal package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:xfce4-terminal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|6\.10|7\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10 / 7.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"xfce4-terminal", pkgver:"0.2.5+r21674-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"xfce4-terminal", pkgver:"0.2.5.4-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"xfce4-terminal", pkgver:"0.2.6-0ubuntu3.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xfce4-terminal"); }NASL family Fedora Local Security Checks NASL id FEDORA_2007-1620.NASL description - Tue Aug 14 2007 Kevin Fenzi <kevin at tummy.com> - 0.2.6-3 - Add patch for CVE-2007-3770. - Update License tag Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27725 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27725 title Fedora 7 : Terminal-0.2.6-3.fc7 (2007-1620) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-1620. # include("compat.inc"); if (description) { script_id(27725); script_version ("1.12"); script_cvs_date("Date: 2019/08/02 13:32:25"); script_cve_id("CVE-2007-3770"); script_xref(name:"FEDORA", value:"2007-1620"); script_name(english:"Fedora 7 : Terminal-0.2.6-3.fc7 (2007-1620)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Tue Aug 14 2007 Kevin Fenzi <kevin at tummy.com> - 0.2.6-3 - Add patch for CVE-2007-3770. - Update License tag Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-August/003255.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?75d4c344" ); script_set_attribute( attribute:"solution", value:"Update the affected Terminal and / or Terminal-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:Terminal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:Terminal-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"Terminal-0.2.6-3.fc7")) flag++; if (rpm_check(release:"FC7", reference:"Terminal-debuginfo-0.2.6-3.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Terminal / Terminal-debuginfo"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1393.NASL description It was discovered that xfce-terminal, a terminal emulator for the xfce environment, did not correctly escape arguments passed to the processes spawned by last seen 2020-06-01 modified 2020-06-02 plugin id 27548 published 2007-10-25 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27548 title Debian DSA-1393-1 : xfce4-terminal - insecure execution
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 24889 CVE(CAN) ID: CVE-2007-3770 Xfce Terminal是Xfce桌面环境的控制台工具。 Xfce Terminal在使用URL串构造命令调用时存在漏洞,远程攻击者可能利用此漏洞诱使用户执行恶意Shell命令。 Xfce-Terminal 0.2.6 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href="http://www.xfce.org/" target="_blank">http://www.xfce.org/</a> |
| id | SSV:2106 |
| last seen | 2017-11-19 |
| modified | 2007-08-14 |
| published | 2007-08-14 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-2106 |
| title | Xfce-Terminal远程命令注入漏洞 |
References
- http://bugs.gentoo.org/show_bug.cgi?id=184886
- http://osvdb.org/38082
- http://secunia.com/advisories/26037
- http://secunia.com/advisories/26392
- http://secunia.com/advisories/26418
- http://secunia.com/advisories/27374
- http://security.gentoo.org/glsa/glsa-200708-07.xml
- http://www.debian.org/security/2007/dsa-1393
- http://www.securityfocus.com/bid/24889
- http://www.ubuntu.com/usn/usn-497-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35379