Saturday, July 17, 2010

Having fun with CVE-2010-2713

Heres a fun little exploit i noticed the other day, at first i didnt have any idea wtf i was looking at. After a little research i found out that libvte was used by gnome-terminal and thats what really got me interested, it was something i could play with without having to do a bunch of shit ;p So whats going on anyway, well vte reports back a window or icon name to the term as if it was a command being issued and at the same time users are allowed to set the name of a window or icon and that is where the issue lies. The one catch is after the attack starts the victim has to hit the enter key to execute the command issued to the term from the attack, but this is very easy to get around. Ok lets test this baby out. Open a term and run this:

export PS1="\033]0;;ls\007" <= sets the window name to ;ls

Then this:

export PS1="\033]0;\a\e[21t\007" <= sends the window name to the term

Now all you have to do is hit enter and you should get a dir listing :D There is all kinds of ways to automate this so all the victim has to do is hit enter, you can even send a message telling the victim to hit enter to continue >:) Thats it, enjoy.

No comments:

Post a Comment