Vulnerabilities > CVE-2008-2383 - Code Injection vulnerability in Invisible-Island Xterm NIL

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
invisible-island
CWE-94
nessus
NVD
Published: 2009-01-02
Updated: 2023-11-07

Summary

CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.

Vulnerable Configurations

Part Description Count
Application
Invisible-Island
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-703-1.NASL
    descriptionPaul Szabo discovered that the DECRQSS escape sequences were not handled correctly by xterm. Additionally, window title operations were also not safely handled. If a user were tricked into viewing a specially crafted series of characters while in xterm, a remote attacker could execute arbitrary commands with user privileges. (CVE-2006-7236, CVE-2008-2382). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37162
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37162
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : xterm vulnerabilities (USN-703-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-0154.NASL
    descriptionThis update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35391
    published2009-01-16
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35391
    titleFedora 8 : xterm-238-1.fc8 (2009-0154)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200902-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200902-04 (xterm: User-assisted arbitrary commands execution) Paul Szabo reported an insufficient input sanitization when processing Device Control Request Status String (DECRQSS) sequences. Impact : A remote attacker could entice a user to display a file containing specially crafted DECRQSS sequences, possibly resulting in the remote execution of arbitrary commands with the privileges of the user viewing the file. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id35675
    published2009-02-13
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35675
    titleGLSA-200902-04 : xterm: User-assisted arbitrary commands execution
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_XTERM-090108.NASL
    descriptionXTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen2020-06-01
    modified2020-06-02
    plugin id40327
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40327
    titleopenSUSE Security Update : xterm (xterm-405)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-0059.NASL
    descriptionThis update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35388
    published2009-01-16
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35388
    titleFedora 9 : xterm-238-1.fc9 (2009-0059)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1694.NASL
    descriptionPaul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences (CVE-2008-2383 ). As an additional precaution, this security update also disables font changing, user-defined keys, and X property changes through escape sequences.
    last seen2020-06-01
    modified2020-06-02
    plugin id35293
    published2009-01-06
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35293
    titleDebian DSA-1694-1 : xterm - design flaw
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D5E1AAC8DB0B11DDAE30001CC0377035.NASL
    descriptionSecurityFocus reports : The xterm program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input. Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.
    last seen2020-06-01
    modified2020-06-02
    plugin id35295
    published2009-01-06
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35295
    titleFreeBSD : xterm -- DECRQSS remote command execution vulnerability (d5e1aac8-db0b-11dd-ae30-001cc0377035)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XTERM-5898.NASL
    descriptionXTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen2020-06-01
    modified2020-06-02
    plugin id41604
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41604
    titleSuSE 10 Security Update : xterm (ZYPP Patch Number 5898)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-0018.NASL
    descriptionFrom Red Hat Security Advisory 2009:0018 : An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id67791
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67791
    titleOracle Linux 3 / 4 / 5 : xterm (ELSA-2009-0018)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12344.NASL
    descriptionXTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.) Support for Matrox G200EV/G200WB cards was added.
    last seen2020-06-01
    modified2020-06-02
    plugin id41274
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41274
    titleSuSE9 Security Update : XFree86 (YOU Patch Number 12344)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XTERM-5902.NASL
    descriptionXTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen2020-06-01
    modified2020-06-02
    plugin id35369
    published2009-01-14
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35369
    titleopenSUSE 10 Security Update : xterm (xterm-5902)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-0018.NASL
    descriptionAn updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id35312
    published2009-01-08
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35312
    titleCentOS 3 / 4 / 5 : xterm (CESA-2009:0018)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_XTERM-090108.NASL
    descriptionXTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen2020-06-01
    modified2020-06-02
    plugin id40160
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40160
    titleopenSUSE Security Update : xterm (xterm-405)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-0019.NASL
    descriptionAn updated hanterm-xf package to correct a security issue is now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. Hanterm is a replacement for xterm, a X Window System terminal emulator, that supports Hangul input and output. A flaw was found in the Hanterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside a Hanterm window. (CVE-2008-2383) All hanterm-xf users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of hanterm must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id35319
    published2009-01-08
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35319
    titleRHEL 2.1 : hanterm-xf (RHSA-2009:0019)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_7.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11
    last seen2020-06-01
    modified2020-06-02
    plugin id38744
    published2009-05-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38744
    titleMac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-0018.NASL
    descriptionAn updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id35302
    published2009-01-07
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35302
    titleRHEL 3 / 4 / 5 : xterm (RHSA-2009:0018)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2009-069-03.NASL
    descriptionNew xterm packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id35827
    published2009-03-11
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35827
    titleSlackware 12.0 / 12.1 / 12.2 / current : xterm (SSA:2009-069-03)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20090107_XTERM_ON_SL3_X.NASL
    descriptionA flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383)
    last seen2020-06-01
    modified2020-06-02
    plugin id60516
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60516
    titleScientific Linux Security Update : xterm on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-005.NASL
    descriptionA vulnerability has been discovered in xterm, which can be exploited by malicious people to compromise a user
    last seen2020-06-01
    modified2020-06-02
    plugin id36977
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36977
    titleMandriva Linux Security Advisory : xterm (MDVSA-2009:005)

Oval

accepted2013-04-29T04:18:46.553-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionCRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
familyunix
idoval:org.mitre.oval:def:9317
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleCRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
version27

Redhat

advisories
  • bugzilla
    id478888
    titleCVE-2008-2383 xterm: arbitrary command injection
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • commentxterm is earlier than 0:192-8.el4_7.2
        ovaloval:com.redhat.rhsa:tst:20090018001
      • commentxterm is signed with Red Hat master key
        ovaloval:com.redhat.rhsa:tst:20070701002
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • commentxterm is earlier than 0:215-5.el5_2.2
        ovaloval:com.redhat.rhsa:tst:20090018004
      • commentxterm is signed with Red Hat redhatrelease key
        ovaloval:com.redhat.rhsa:tst:20090018005
    rhsa
    idRHSA-2009:0018
    released2009-01-07
    severityImportant
    titleRHSA-2009:0018: xterm security update (Important)
  • rhsa
    idRHSA-2009:0019
rpms
  • xterm-0:179-11.EL3
  • xterm-0:192-8.el4_7.2
  • xterm-0:215-5.el5_2.2
  • xterm-debuginfo-0:179-11.EL3
  • xterm-debuginfo-0:192-8.el4_7.2
  • xterm-debuginfo-0:215-5.el5_2.2
  • hanterm-xf-1:2.0.5-5.AS21.2

References