ID CVE-2008-2383
Summary CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
References
Vulnerable Configurations
  • cpe:2.3:a:invisible-island:xterm:_nil_
    cpe:2.3:a:invisible-island:xterm:_nil_
CVSS
Base: 9.3 (as of 02-01-2009 - 14:10)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-0154.NASL
    description This update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 35391
    published 2009-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35391
    title Fedora 8 : xterm-238-1.fc8 (2009-0154)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-703-1.NASL
    description Paul Szabo discovered that the DECRQSS escape sequences were not handled correctly by xterm. Additionally, window title operations were also not safely handled. If a user were tricked into viewing a specially crafted series of characters while in xterm, a remote attacker could execute arbitrary commands with user privileges. (CVE-2006-7236, CVE-2008-2382). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 37162
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37162
    title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : xterm vulnerabilities (USN-703-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XTERM-5902.NASL
    description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 35369
    published 2009-01-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35369
    title openSUSE 10 Security Update : xterm (xterm-5902)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0019.NASL
    description An updated hanterm-xf package to correct a security issue is now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. Hanterm is a replacement for xterm, a X Window System terminal emulator, that supports Hangul input and output. A flaw was found in the Hanterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside a Hanterm window. (CVE-2008-2383) All hanterm-xf users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of hanterm must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 35319
    published 2009-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35319
    title RHEL 2.1 : hanterm-xf (RHSA-2009:0019)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12344.NASL
    description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.) Support for Matrox G200EV/G200WB cards was added.
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41274
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41274
    title SuSE9 Security Update : XFree86 (YOU Patch Number 12344)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1694.NASL
    description Paul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences (CVE-2008-2383 ). As an additional precaution, this security update also disables font changing, user-defined keys, and X property changes through escape sequences.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 35293
    published 2009-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35293
    title Debian DSA-1694-1 : xterm - design flaw
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200902-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-200902-04 (xterm: User-assisted arbitrary commands execution) Paul Szabo reported an insufficient input sanitization when processing Device Control Request Status String (DECRQSS) sequences. Impact : A remote attacker could entice a user to display a file containing specially crafted DECRQSS sequences, possibly resulting in the remote execution of arbitrary commands with the privileges of the user viewing the file. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 35675
    published 2009-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35675
    title GLSA-200902-04 : xterm: User-assisted arbitrary commands execution
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0018.NASL
    description An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 35312
    published 2009-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35312
    title CentOS 3 / 4 / 5 : xterm (CESA-2009:0018)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090107_XTERM_ON_SL3_X.NASL
    description A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60516
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60516
    title Scientific Linux Security Update : xterm on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XTERM-5898.NASL
    description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 41604
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41604
    title SuSE 10 Security Update : xterm (ZYPP Patch Number 5898)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_XTERM-090108.NASL
    description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 40160
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40160
    title openSUSE Security Update : xterm (xterm-405)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0018.NASL
    description An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 35302
    published 2009-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35302
    title RHEL 3 / 4 / 5 : xterm (RHSA-2009:0018)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-005.NASL
    description A vulnerability has been discovered in xterm, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to xterm not properly processing the DECRQSS Device Control Request Status String escape sequence. This can be exploited to inject and execute arbitrary shell commands by e.g. tricking a user into displaying a malicious text file containing a specially crafted escape sequence via the more command in xterm (CVE-2008-2383). The updated packages have been patched to prevent this.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 36977
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36977
    title Mandriva Linux Security Advisory : xterm (MDVSA-2009:005)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_5_7.NASL
    description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 38744
    published 2009-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38744
    title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-0059.NASL
    description This update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 35388
    published 2009-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35388
    title Fedora 9 : xterm-238-1.fc9 (2009-0059)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2009-069-03.NASL
    description New xterm packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix a security issue.
    last seen 2018-09-01
    modified 2013-06-01
    plugin id 35827
    published 2009-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35827
    title Slackware 12.0 / 12.1 / 12.2 / current : xterm (SSA:2009-069-03)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0018.NASL
    description From Red Hat Security Advisory 2009:0018 : An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 67791
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67791
    title Oracle Linux 3 / 4 / 5 : xterm (ELSA-2009-0018)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_XTERM-090108.NASL
    description XTerm evaluated various ANSI Escape sequences so that command execution was possible if an attacker could pipe raw data to an xterm. (CVE-2008-2383) (It is usually not recommended to display raw data on an xterm.)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 40327
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40327
    title openSUSE Security Update : xterm (xterm-405)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_D5E1AAC8DB0B11DDAE30001CC0377035.NASL
    description SecurityFocus reports : The xterm program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input. Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 35295
    published 2009-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35295
    title FreeBSD : xterm -- DECRQSS remote command execution vulnerability (d5e1aac8-db0b-11dd-ae30-001cc0377035)
oval via4
accepted 2013-04-29T04:18:46.553-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
family unix
id oval:org.mitre.oval:def:9317
status accepted
submitted 2010-07-09T03:56:16-04:00
title CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
version 24
redhat via4
advisories
  • bugzilla
    id 478888
    title CVE-2008-2383 xterm: arbitrary command injection
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhsa:tst:20060015001
      • comment xterm is earlier than 0:179-11.EL3
        oval oval:com.redhat.rhsa:tst:20090018002
      • comment xterm is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20070701003
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhsa:tst:20060016001
      • comment xterm is earlier than 0:192-8.el4_7.2
        oval oval:com.redhat.rhsa:tst:20090018005
      • comment xterm is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20070701003
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • comment xterm is earlier than 0:215-5.el5_2.2
        oval oval:com.redhat.rhsa:tst:20090018007
      • comment xterm is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20090018008
    rhsa
    id RHSA-2009:0018
    released 2009-01-07
    severity Important
    title RHSA-2009:0018: xterm security update (Important)
  • rhsa
    id RHSA-2009:0019
rpms
  • xterm-0:179-11.EL3
  • xterm-0:192-8.el4_7.2
  • xterm-0:215-5.el5_2.2
refmap via4
apple APPLE-SA-2009-05-12
bid 33060
cert TA09-133A
confirm
debian DSA-1694
fedora
  • FEDORA-2009-0059
  • FEDORA-2009-0154
sectrack 1021522
secunia
  • 33318
  • 33388
  • 33397
  • 33418
  • 33419
  • 33568
  • 33820
  • 35074
sunalert 254208
suse
  • SUSE-SR:2009:002
  • SUSE-SR:2009:003
ubuntu USN-703-1
vupen ADV-2009-1297
xf xterm-decrqss-code-execution(47655)
Last major update 30-10-2012 - 22:57
Published 02-01-2009 - 13:11
Last modified 03-10-2018 - 17:54
Back to Top