Dear Ryan, Curious that you do not consider this a bug: similar things were fixed in other terminal emulators like xterm, so people could "safely" view (i.e. cat or grep) any files, e.g. root perusing syslog.
Looking at the further message on FullDisclosure: https://seclists.org/fulldisclosure/2021/May/51 (quoted below for completeness), it seems that this is now fixed upstream in version 9.25, maybe they did consider it a bug. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of Sydney Australia Quoting message: From: def <d...@huumeet.info> To: <fulldisclos...@seclists.org> Date: Thu, 20 May 2021 04:38:34 +0300 Subject: Re: [FD] (u)rxvt terminal (+bash) remoteish code execution 0day Minor clarifications and additional details for the post. First and foremost, this vulnerability is not technically a zero-day for rxvt-unicode since the bug has been independently discovered & publicly discussed at oss-security at least in 2017: https://www.openwall.com/lists/oss-security/2017/05/01/20 Upstream patched the vulnerability silently back in 2017. According to rxvt-unicode commit messages and changelog entries, the vulnerability was considered to have minor "security implications" explaining why it never was considered critical enough to backport to old Linux distros. Moreover, the first patched version is rxvt-unicode 9.25 (2021-05-14) released barely a couple of weeks ago. Therefore, most Linux distros still ship *unpatched* rxvt-unicode 9.22 (2016-05-14). Yes, 9.23 & 9.24 version numbers do not exist because they were skipped in the upstream. Nonetheless the exploit remains 0day (i.e., no upstream patch available) for at least the following rxvt forks and derivatives. - rxvt 2.7.10 (the original rxvt terminal) - mrxvt 0.5.4 (unmaintainen rxvt teminal with tabs) - aterm 1.0.1 (random rxvt-based terminal from Debbie "jessie" repos) - eterm 0.9.7 (Enlightenmenth Finally, the vulnerability can be exploited in any context in which the attacker can plant payload scripts in a subdirectory of CWD and trigger code execution by writing (unescaped) ANSI escape sequences to stdout or stderr. Suitable target programs besides `scp` include popular CLI tools like `unrar` and `busybox tar` as demonstrated in the PoCs here: https://huumeet.info/~def/rxvt0day/ Note that GNU tar is not exploitable due to properly escaped filenames. - def
