A vulnerability has been identified in the xterm terminal emulator (CVE-2022-45063) that allows shell commands to be executed when certain escape sequences are processed in the terminal. For an attack in the simplest case, it is enough to display the contents of a specially designed file on the screen, for example, using the cat utility, or paste a line from the clipboard. printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063 cat cve-2022-45063
The problem is caused by a bug in the processing of escape code 50 used to set or get font options. If the requested font does not exist, the operation returns the name of the font specified in the request. Control characters cannot be directly inserted into the name, but the returned string can be terminated by the "^G" sequence, which in zsh, when the vi-style line editing mode is active, causes a list expansion operation to be performed, which can be used to run commands without explicitly pressing the Enter key.
To successfully exploit the vulnerability, the user must use the Zsh command shell with the command line editor (vi-cmd-mode) switched to "vi" mode, which is usually not used by default in distributions. The problem also does not appear when xterm is set to allowWindowOps=false or allowFontOps=false. For example, the setting allowFontOps=false is set on OpenBSD, Debian, and RHEL, but is not applied by default on Arch Linux.
Based on the changelog and the statement of the researcher who identified the problem, the vulnerability is fixed in the xterm 375 release, but according to other sources, the vulnerability continues to manifest itself in xterm 375 from Arch Linux. You can track the publication of fixes by distributions on these pages: Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux, OpenBSD, FreeBSD, NetBSD.
Source: opennet.ru