RE: Re: Terminal Emulator Security Issues

["Steve Wray" <steve.wray () paradise net nz>]

> On Monday, 24 February 2003, at 15:02:52 (-0600),
> H D Moore wrote:
>
> > Eterm and rxvt both implement what they call the "screen dump"
[snip]
> > followed by the screen dump command.
> >
> > $ echo -e "\ec+ +\n\e]<Code>;/home/user/.rhosts\a"
>
> As you noted, this is no longer possible with the current release of
> Eterm, which has been out for some time now.  I didn't think it was
> exploitable until, through a discussion related to this Debian bug:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=141374&archive=yes
 
Isn't this one of the generic problems with running the stable
debian distro? It tends to get left behind. Sort of like end-of-life
only undeclared...



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html