Bug ID 1205305
Summary VUL-0: CVE-2022-45063: xterm: code execution via font ops
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee meissner@suse.com
Reporter Andreas.Stieger@gmx.de
QA Contact security-team@suse.de
Found By ---
Blocker --- 

It was reported that xterm before patch 375 can enable an RCE under certain
conditions.

The issue is in the OSC 50 sequence, which is for setting and querying
the font. If a given font does not exist, it is not set, but a query
will return the name that was set. Control characters can't be
included, but the response string can be terminated with ^G. This
essentially gives us a primitive for echoing text back to the terminal
and ending it with ^G.

It so happens ^G is in Zsh when in vi line editing mode bound to
"list-expand". Which can run commands as part of the expansion leading
to command execution without pressing enter!

This does mean to exploit this vulnerability the user needs to be
using Zsh in vi line editing mode (usually via $EDITOR having "vi" in
it). While somewhat obscure this is not a totally unknown
configuration.

In that configuration, something like:
printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063
cat cve-2022-45063  # or another way to deliver this to the victim

Will touch that file. It will leave the line on the user's screen;
I'll leave it as an exercise for the reader to use the vi line editing
commands to hide the evidence.


Mitigation:

Set this Xresource:
XTerm*allowFontOps: false


References:
https://www.openwall.com/lists/oss-security/2022/11/10/1

You are receiving this mail because: