Bugzilla – Bug 1205305
VUL-0: CVE-2022-45063: xterm: code execution via font ops
Last modified: 2024-05-03 09:08:25 UTC
It was reported that xterm before patch 375 can enable an RCE under certain conditions. The issue is in the OSC 50 sequence, which is for setting and querying the font. If a given font does not exist, it is not set, but a query will return the name that was set. Control characters can't be included, but the response string can be terminated with ^G. This essentially gives us a primitive for echoing text back to the terminal and ending it with ^G. It so happens ^G is in Zsh when in vi line editing mode bound to "list-expand". Which can run commands as part of the expansion leading to command execution without pressing enter! This does mean to exploit this vulnerability the user needs to be using Zsh in vi line editing mode (usually via $EDITOR having "vi" in it). While somewhat obscure this is not a totally unknown configuration. In that configuration, something like: printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063 cat cve-2022-45063 # or another way to deliver this to the victim Will touch that file. It will leave the line on the user's screen; I'll leave it as an exercise for the reader to use the vi line editing commands to hide the evidence. Mitigation: Set this Xresource: XTerm*allowFontOps: false References: https://www.openwall.com/lists/oss-security/2022/11/10/1
This is an autogenerated message for OBS integration: This bug (1205305) was mentioned in https://build.opensuse.org/request/show/1035234 Factory / xterm
fwiw, our default is in SLE11, SLE12 and SLE15: +! Security: Disallow operations that might allow raw text being pasted to xterm to +! execute code. +*allowWindowOps: false +*allowFontOps: false
fix is in there https://github.com/ThomasDickey/xterm-snapshots/compare/xterm-374b...xterm-374c the author rewrote parts of the font handling code to have better error checking.
QA REPRODUCER: echo "*allowFontOps: true" | xrdb xterm then run: printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063 cat cve-2022-45063 BAD: $ cat cve-2022-45063 50;i$(touch /tmp/hack-like-its-1999) GOOD: $ cat cve-2022-45063 50;-misc-fixed-medium-r-semicondensed-*-13-120-75-75-c-60-iso10646-1 (so returns a font name instead of shellcode)
SUSE-SU-2023:0173-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1205305 CVE References: CVE-2022-45063 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): xterm-330-150000.4.6.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): xterm-330-150000.4.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): xterm-330-150000.4.6.1 SUSE Enterprise Storage 6 (src): xterm-330-150000.4.6.1 SUSE CaaS Platform 4.0 (src): xterm-330-150000.4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0221-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1205305 CVE References: CVE-2022-45063 JIRA References: Sources used: openSUSE Leap 15.4 (src): xterm-330-150200.11.9.1 SUSE Manager Server 4.2 (src): xterm-330-150200.11.9.1 SUSE Manager Retail Branch Server 4.2 (src): xterm-330-150200.11.9.1 SUSE Manager Proxy 4.2 (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): xterm-330-150200.11.9.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): xterm-330-150200.11.9.1 SUSE Enterprise Storage 7.1 (src): xterm-330-150200.11.9.1 SUSE Enterprise Storage 7 (src): xterm-330-150200.11.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Created attachment 865053 [details] xterm-CVE-2022-45063.patch simple disable patch for SLES 11 xterm. We basically just disable setting the font via ESCAPE sequence. Untested
(In reply to Marcus Meissner from comment #11) > xterm-CVE-2022-45063.patch > > Untested I build a test PTF with your patch and tested it. I followed your QA reproducer steps and can trigger the exploit when unpatched and get the expected result with the patch.
Created attachment 865056 [details] xterm-CVE-2022-45063.patch for SLES12 xterm-CVE-2022-45063.patch for SLES 12 backported fix.
SUSE-SU-2023:0582-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1205305 CVE References: CVE-2022-45063 Sources used: SUSE OpenStack Cloud 9 (src): xterm-308-5.9.1 SUSE OpenStack Cloud Crowbar 9 (src): xterm-308-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): xterm-308-5.9.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP5 (src): xterm-308-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xterm-308-5.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
00644171 EAR HUAWEI TECHNOLOGIES CO LTD - CHINA SUSE Linux Enterprise Server 11 SP1 x86_64 Restricted - Partner Program only Subscription for SUSE Linux Enterprise Server Long Term Service Pack Support, ARM, current versions F2AC7D13E6137346 Restricted - Partner Program only Subscription for SUSE Linux Enterprise Server Long Term Service Pack Support, POWER, current versions E86F49CA3AD28CE3 Restricted - Partner Program only Subscription for SUSE Linux Enterprise Server Long Term Service Pack Support, x86 & x86-64, current versions F31607A2B20ACDA0
done, closing