Vulnerabilities > CVE-2008-2383 - Code Injection vulnerability in Invisible-Island Xterm NIL
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-703-1.NASL description Paul Szabo discovered that the DECRQSS escape sequences were not handled correctly by xterm. Additionally, window title operations were also not safely handled. If a user were tricked into viewing a specially crafted series of characters while in xterm, a remote attacker could execute arbitrary commands with user privileges. (CVE-2006-7236, CVE-2008-2382). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37162 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37162 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : xterm vulnerabilities (USN-703-1) NASL family Fedora Local Security Checks NASL id FEDORA_2009-0154.NASL description This update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35391 published 2009-01-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35391 title Fedora 8 : xterm-238-1.fc8 (2009-0154) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200902-04.NASL description The remote host is affected by the vulnerability described in GLSA-200902-04 (xterm: User-assisted arbitrary commands execution) Paul Szabo reported an insufficient input sanitization when processing Device Control Request Status String (DECRQSS) sequences. Impact : A remote attacker could entice a user to display a file containing specially crafted DECRQSS sequences, possibly resulting in the remote execution of arbitrary commands with the privileges of the user viewing the file. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 35675 published 2009-02-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35675 title GLSA-200902-04 : xterm: User-assisted arbitrary commands execution NASL family SuSE Local Security Checks NASL id SUSE_11_1_XTERM-090108.NASL description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.) last seen 2020-06-01 modified 2020-06-02 plugin id 40327 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40327 title openSUSE Security Update : xterm (xterm-405) NASL family Fedora Local Security Checks NASL id FEDORA_2009-0059.NASL description This update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35388 published 2009-01-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35388 title Fedora 9 : xterm-238-1.fc9 (2009-0059) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1694.NASL description Paul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences (CVE-2008-2383 ). As an additional precaution, this security update also disables font changing, user-defined keys, and X property changes through escape sequences. last seen 2020-06-01 modified 2020-06-02 plugin id 35293 published 2009-01-06 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35293 title Debian DSA-1694-1 : xterm - design flaw NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_D5E1AAC8DB0B11DDAE30001CC0377035.NASL description SecurityFocus reports : The xterm program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input. Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application. last seen 2020-06-01 modified 2020-06-02 plugin id 35295 published 2009-01-06 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35295 title FreeBSD : xterm -- DECRQSS remote command execution vulnerability (d5e1aac8-db0b-11dd-ae30-001cc0377035) NASL family SuSE Local Security Checks NASL id SUSE_XTERM-5898.NASL description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.) last seen 2020-06-01 modified 2020-06-02 plugin id 41604 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41604 title SuSE 10 Security Update : xterm (ZYPP Patch Number 5898) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0018.NASL description From Red Hat Security Advisory 2009:0018 : An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 67791 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67791 title Oracle Linux 3 / 4 / 5 : xterm (ELSA-2009-0018) NASL family SuSE Local Security Checks NASL id SUSE9_12344.NASL description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.) Support for Matrox G200EV/G200WB cards was added. last seen 2020-06-01 modified 2020-06-02 plugin id 41274 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41274 title SuSE9 Security Update : XFree86 (YOU Patch Number 12344) NASL family SuSE Local Security Checks NASL id SUSE_XTERM-5902.NASL description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.) last seen 2020-06-01 modified 2020-06-02 plugin id 35369 published 2009-01-14 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35369 title openSUSE 10 Security Update : xterm (xterm-5902) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0018.NASL description An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 35312 published 2009-01-08 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35312 title CentOS 3 / 4 / 5 : xterm (CESA-2009:0018) NASL family SuSE Local Security Checks NASL id SUSE_11_0_XTERM-090108.NASL description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.) last seen 2020-06-01 modified 2020-06-02 plugin id 40160 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40160 title openSUSE Security Update : xterm (xterm-405) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0019.NASL description An updated hanterm-xf package to correct a security issue is now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. Hanterm is a replacement for xterm, a X Window System terminal emulator, that supports Hangul input and output. A flaw was found in the Hanterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside a Hanterm window. (CVE-2008-2383) All hanterm-xf users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of hanterm must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 35319 published 2009-01-08 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35319 title RHEL 2.1 : hanterm-xf (RHSA-2009:0019) NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0018.NASL description An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 35302 published 2009-01-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35302 title RHEL 3 / 4 / 5 : xterm (RHSA-2009:0018) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-069-03.NASL description New xterm packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 35827 published 2009-03-11 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35827 title Slackware 12.0 / 12.1 / 12.2 / current : xterm (SSA:2009-069-03) NASL family Scientific Linux Local Security Checks NASL id SL_20090107_XTERM_ON_SL3_X.NASL description A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) last seen 2020-06-01 modified 2020-06-02 plugin id 60516 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60516 title Scientific Linux Security Update : xterm on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-005.NASL description A vulnerability has been discovered in xterm, which can be exploited by malicious people to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 36977 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36977 title Mandriva Linux Security Advisory : xterm (MDVSA-2009:005)
Oval
accepted | 2013-04-29T04:18:46.553-04:00 | ||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||
description | CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. | ||||||||||||||||||||||||||||||||
family | unix | ||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:9317 | ||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
title | CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. | ||||||||||||||||||||||||||||||||
version | 27 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
- http://secunia.com/advisories/33318
- https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00184.html
- http://secunia.com/advisories/33419
- https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00072.html
- http://secunia.com/advisories/33568
- http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html
- http://www.redhat.com/support/errata/RHSA-2009-0018.html
- http://secunia.com/advisories/33418
- http://secunia.com/advisories/33397
- http://www.securityfocus.com/bid/33060
- http://www.debian.org/security/2009/dsa-1694
- http://secunia.com/advisories/33820
- http://secunia.com/advisories/33388
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-254208-1
- http://support.apple.com/kb/HT3549
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://www.vupen.com/english/advisories/2009/1297
- http://secunia.com/advisories/35074
- http://www.redhat.com/support/errata/RHSA-2009-0019.html
- http://www.securitytracker.com/id?1021522
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47655
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9317
- https://usn.ubuntu.com/703-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOOVZTIABA4MIFUGTAVYWO6QXSUXSST4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3E2Q6NPKT7V4VKZMSFF4ARLRVYOG4AU/