Custom Control Sequence Remote Code Execution (RCE)
CVSSv3: 7.1 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Versions: Terminology <= 1.3
The catch all behaviour of the \e}pn control sequence in Terminology allow a remote attacker to execute code on the user's computer.
Terminology includes several custom control sequences. These are activated with the \e} sequence.
The \e}pn sequence opens web pages and image files and is handled by the _popmedia function in win.c:4161.
The \e}pn sequence allows a user to display media like an image or open a web page. However, all unknown media types are handled with the media_unknown_handle function which executes xdg-open against the file type. This creates a large attack surface that allows a remotely introduced executable file to be executed when that file's MIME type is registered for xdg-open.
This is true for most Linux systems with JRE/JDK installed and have registered. JRE registers java as the MIME handler for .jar files.
An attacker could therefore deliver a file containing the control sequence and a jar file causing the jar to be executed once the control sequence is rendered by Terminology.
To reproduce this unsafe behaviour, perform the following:
- Create a Java jar file containing a compiled class configured as the main class in the jar manifest (so it executes automatically)
- Run the following in the affected versions of terminology where <PATH> is the path to the jar file from #1.
Exploit / PoC
Consider a Git project or source tarball uploaded to a site containing the following files:
# This is a simple README file ^[}pnexploit.jar^@
When the Terminology user views the file with a program like cat:
the exploit.jar file will be executed without the user's knowledge.
I would recommend that for the meantime all unknown media types be rejected by the control sequence. Currently Terminology has dedicated behaviour to handle the popup display of images and opening of web pages. Whereas all other media types are unsafely deferred to a remote program where the ability to prevent malicious behaviour is outside of the control of Terminology.
The media_unknown_handle function should be removed and not called from _popmedia.
Consider that other than the remote code execution (of high impact), an attacker could also open a malicious web page with the same sequence and conduct XSS and other attacks against the Terminology user.
For this reason, I'd also recommend that the \e}pn control sequence be disabled by default so that only users that really want it can ensure it's enabled with a startup flag like --extra-sequences.