Bugtraq mailing list archives
Re: [rootshell.com] Xterm DoS Attack
From: mej () VALINUX COM (Michael Jennings)
Date: Thu, 8 Jun 2000 13:41:48 -0700
On Tuesday, 06 June 2000, at 10:28:28 (+0100), Simon Tatham wrote:
Philosophically, I have a hard time seeing this as a bug in any given terminal emulator. There _should_ be a way for a (trusted) app running in a terminal emulator to request window size changes and other such things; it's very useful.
Absolutely. Disabling the sequence altogether is an improper fix to the problem. The solution as I implemented it in the newer Eterms was to limit the resize request based on the screen size. I see very little point in allowing a terminal window to resize itself larger than the screen. This was just an arbitrary limit on my part, though; if you wanted to choose a bit larger than the screen, same difference. But there should be checks for reasonable values, especially if you use the larger data types (like a 32- or 64-bit integer) for the x/y sizes. A 2-billion-by-2-billion terminal window doesn't make sense for anyone.
And in the absence of separated control and data streams within a terminal session (in which case one could allow `cat' unrestricted access to the data stream and it would not be able to DoS by injecting malice into the control stream), the whole terminal session must be considered to be the control stream, and vulnerable. Don't `cat' untrusted files.
Unfortunately, the vulnerability extends well beyond simply "cat". Theoretically it may be possible as a local user (or even a remote one?) to cause such strings to be injected into the syslog/messages file, which many sysadmins keep a running tail on. You've also got to consider e-mail, which is often read through terminal clients. Then there's IRC and other chat networks. Talk daemon requests (remember flash?). Web pages viewed by lynx or other text-based browsers. The list goes on.... Michael -- "Some mornings, it's just not worth chewing through the leather straps." -- Emo Phillips ======================================================================= Michael Jennings <mej () eterm org> www.tcserv.com PGP Key ID: BED09971 Software Engineer, VA Linux Systems Author, Eterm (www.eterm.org)
Current thread:
- Re: [rootshell.com] Xterm DoS Attack Hans, Sebastian (Jun 04)
- Security Update: serious bug in setuid() Technical Support (Jun 08)
- Security Bulletins Digest Aleph One (Jun 08)
- Internet Security Systems Security Advisory: Buffer Overflow in i-drive Filo (tm) software Aleph One (Jun 08)
- Re: [rootshell.com] Xterm DoS Attack Elias Levy (Jun 08)
- <Possible follow-ups>
- Re: [rootshell.com] Xterm DoS Attack Simon Tatham (Jun 06)
- Re: [rootshell.com] Xterm DoS Attack Michael Jennings (Jun 08)