Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Terminal Emulator Security Issues
From: Michael Jennings <mej () eterm org>
Date: Sun, 2 Mar 2003 16:37:12 -0500

Would stripping escape sequences from the window title work? Do you
know of any applications that actually use this feature?


(Incidentally, I was unable to embed any such sequences in the
title/icon name in 0.9.2 anyway...but I didn't try for very long, so
I may have missed something.)

After further investigation, I'd like to point out the following:

Eterm has *never* allowed any control characters in its title/icon
name sequences.  The following bit of code has existed at least since
Eterm was first committed to CVS:

                else if (ch < ' ')
                    return;     /* control character - exit */

in term.c::process_xterm_seq(), line 1270 or so.

So there was never any way to get escape sequences in the title to
begin with, meaning that the command cannot be hidden using any
character attributes or background/foreground color matching.

Furthermore, the title which is printed via the \e[21t sequence is
limited to just under 1024 characters, which is not enough to cause
the command to scroll off the screen on any but the smallest of

Thus, the following footnote from the original report applies to Eterm
as well:

    [1] Although putty would place the title onto the command-line, we
    were not able to find a method of hiding the command, since
    neither the "invisible" character attribute nor the foreground
    color could be set. Putty has a relatively low limit to the number
    of characters that can be placed into the window title, so it is
    not possible to simply flood the screen with garbage and hope the
    command rolls past the current view.

Having said all that, it would seem that Eterm 0.9.2 is not vulnerable
to ANY of the issues mentioned in this report.  As such, all
distributions shipping older versions of Eterm should be safe after
upgrading to 0.9.2.  To that end, Eterm source and RPM packages are
available for download at http://www.eterm.org/download/ for any
vendor/user with 0.9.1 or earlier.

Hope that clears everything up. :-)


Michael Jennings (a.k.a. KainX)  http://www.kainx.org/  <mej () kainx org>
n + 1, Inc., http://www.nplus1.net/       Author, Eterm (www.eterm.org)
 "By the time they had diminished from 50 to 8, the other dwarves 
  began to suspect 'Hungry' ..."        -- Gary Larson, "The Far Side"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]