Bug 1205305 - (CVE-2022-45063) VUL-0: CVE-2022-45063: xterm: code execution via font ops
(CVE-2022-45063)
VUL-0: CVE-2022-45063: xterm: code execution via font ops
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Meissner
Security Team bot
https://smash.suse.de/issue/347701/
CVSSv3.1:SUSE:CVE-2022-45063:8.8:(AV:...
:
Depends on:
Blocks: 1205840
  Show dependency treegraph
 
Reported: 2022-11-10 18:42 UTC by Andreas Stieger
Modified: 2023-01-26 20:35 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (meissner)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2022-11-10 18:42:19 UTC
It was reported that xterm before patch 375 can enable an RCE under certain conditions.

The issue is in the OSC 50 sequence, which is for setting and querying
the font. If a given font does not exist, it is not set, but a query
will return the name that was set. Control characters can't be
included, but the response string can be terminated with ^G. This
essentially gives us a primitive for echoing text back to the terminal
and ending it with ^G.

It so happens ^G is in Zsh when in vi line editing mode bound to
"list-expand". Which can run commands as part of the expansion leading
to command execution without pressing enter!

This does mean to exploit this vulnerability the user needs to be
using Zsh in vi line editing mode (usually via $EDITOR having "vi" in
it). While somewhat obscure this is not a totally unknown
configuration.

In that configuration, something like:
printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063
cat cve-2022-45063  # or another way to deliver this to the victim

Will touch that file. It will leave the line on the user's screen;
I'll leave it as an exercise for the reader to use the vi line editing
commands to hide the evidence.


Mitigation:

Set this Xresource:
XTerm*allowFontOps: false


References:
https://www.openwall.com/lists/oss-security/2022/11/10/1
Comment 1 OBSbugzilla Bot 2022-11-11 13:35:04 UTC
This is an autogenerated message for OBS integration:
This bug (1205305) was mentioned in
https://build.opensuse.org/request/show/1035234 Factory / xterm
Comment 2 Marcus Meissner 2022-11-15 09:45:20 UTC
fwiw, our default is in SLE11, SLE12 and SLE15:

+! Security: Disallow operations that might allow raw text being pasted to xterm to
+! execute code.
+*allowWindowOps:       false
+*allowFontOps:         false
Comment 3 Marcus Meissner 2022-11-15 10:33:54 UTC
fix is in there
https://github.com/ThomasDickey/xterm-snapshots/compare/xterm-374b...xterm-374c


the author rewrote parts of the font handling code to have better error checking.
Comment 5 Marcus Meissner 2023-01-23 13:41:26 UTC
QA REPRODUCER:

echo "*allowFontOps:         true" | xrdb

xterm
then run:

printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063
cat cve-2022-45063

BAD:
$ cat cve-2022-45063 
50;i$(touch /tmp/hack-like-its-1999)


GOOD:
$ cat cve-2022-45063 
50;-misc-fixed-medium-r-semicondensed-*-13-120-75-75-c-60-iso10646-1

(so returns a font name instead of shellcode)
Comment 7 Swamp Workflow Management 2023-01-26 20:35:07 UTC
SUSE-SU-2023:0173-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205305
CVE References: CVE-2022-45063
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xterm-330-150000.4.6.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xterm-330-150000.4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xterm-330-150000.4.6.1
SUSE Enterprise Storage 6 (src):    xterm-330-150000.4.6.1
SUSE CaaS Platform 4.0 (src):    xterm-330-150000.4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.