[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Might terminal emulators such as konsole or xterm have remotely exploitable security bugs?


#1

Originally published at: https://www.whonix.org/blog/might-terminal-emulators-konsole-xterm-remotely-exploitable-security-bugs

One might assume terminal emulators such as konsole or xterm are simple programs not to be exploited, but well, let’s rethink.

Showing output from untrusted remote sources (sdwdate time provider server replies; replies by Tor) might exploit bugs in terminal-emulators such as konsole, right?

For example, open xterm, then

cat /dev/random

let it run for a while and then abort using the usual ctrl + c. Then press enter. You’ll see that it shows some weird characters followed by command not found. How come the output of a running program in terminal can influence what is written in the following command prompt?

Similar to:

https://forums.whonix.org/t/graphical-gui-whonix-setup-wizard-anon-connection-wizard-technical-discussion/650/538

TODO:

  • research historically fixed and current bugs in terminal emulators
  • perhaps move to a security focused terminal emulator
  • no longer write untrusted output to logs
  • educate users about this risk (wget plus cat could be dangerous)

#2

//cc @HulaHoop @marmarek


#3

Yes it is possible to exploit terminal emulators and has been done in the past:

https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/

https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/


https://st.suckless.org/

xterm is massive, ugly and emulates obsolete crap no one ever uses. st is written from the ground up to be minimal, light and secure.

https://packages.debian.org/stretch/stterm


#4

Nice. Can it zoom / increase font size? Haven’t figured that out.

Important features:

  • unlimited scrollback
  • stop auto scroll
  • zoom (increase fonts)
  • copy
  • paste
  • (tabs)

#5

Scroll support is supposedly a separate patch on their site though I don’t know if its been compiled into the Debian package.

https://st.suckless.org/patches/scrollback/

They say it has clipboard handling so I assume yes.

Since this is x-based like xterm they don’t support multiple tabs without using tmux/GNU screen. Tmux support is not available and its in the cards to code an alternative.


As a whole I don’t think that using konsole is doom and gloom (because of st’s major limitations). Most of the escaping vulns have been ironed out in the 2000s and many competent people seem to be fuzzing terminal emulators quite regularly. Most of these experts are concerned with busybox vulnerabilties because its relatively immature comapred to alternatives and embedded hardware being everywhere.

This is similar to the situation with using bash vs something else. On one hand you will end up with a smaller codebase but on the other you might miss out on security expert’s mindshare and attention which is focused on the most widely used solutions. Using the less popular soltuion would end up being security thru obscurity.


#6

Not included btw.


#7

Looks like I came like 18 years too late for this issue. :smile:


#8

Never mind late. You were still thinking in the right direction like an attacker would. That’s valuable for a sec project of this caliber.