Hi. I just discovered the tty escape command 55 in rxvt. By echoing ^[]55;/tmp/log.txt^G to my tty, i can dump the content of the scrollback buffer to disk. that means that if i can manage to write something to root's rxvt, i could override /etc/passwd or any other file of importance. even if root doesn't have world writeable terminal, i can still make a file called /tmp/look-shes-naked.txt and root will cat it and frob /etc/passwd. Ali.
- Re: Security hole in RXVT. Ali Rahimi
- Re: Security hole in RXVT. Geoff Wing
- Re: Security hole in RXVT. Todd Larason
