{"id":22870,"date":"2022-01-10T08:26:45","date_gmt":"2022-01-10T07:26:45","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=22870"},"modified":"2022-01-10T10:14:50","modified_gmt":"2022-01-10T09:14:50","slug":"windows-terminal-emulator-titelnderung-fhrt-zu-white-screen-of-death","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/01\/10\/windows-terminal-emulator-titelnderung-fhrt-zu-white-screen-of-death\/","title":{"rendered":"Windows Terminal Emulator: DoS and &quot;White Screen of Death&quot; via Escape Characters to Change the Title"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/01\/10\/windows-terminal-emulator-titelnderung-fhrt-zu-white-screen-of-death\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Windows offers the possibility to change the window title of windows of a terminal emulator via control characters (ANSI Escape Characters). Some blog readers still know this, was used to adjust colors of a DOS window for example. A security researcher has shown that something like DoS attacks are also possible with it, which allow a white window (\"White Screen of Death\") or even a crash of the system via vulnerabilities in the applications. This is especially a problem in environments (Kubernetes) where terminal emulators are used and the window or the whole Windows machine can be crashed.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg09.met.vgwort.de\/na\/62751ac930d04b0eac9bdc7d20dab70a\" width=\"1\" height=\"1\">I came across the issue via the following tweet from colleagues at Bleeping Computer, which is described by Eviatar Gerz (CyberArk) in the article <a href=\"https:\/\/www.cyberark.com\/resources\/threat-research-blog\/dont-trust-this-title-abusing-terminal-emulators-with-ansi-escape-characters\" target=\"_blank\" rel=\"noopener\">Don't Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters<\/a>.&nbsp; <\/p>\n<p><a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1479834820851154946\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Terminal Emulator  ANSI Escape Characters issues\" alt=\"Terminal Emulator  ANSI Escape Characters issues\" src=\"https:\/\/i.imgur.com\/k3sGgAm.png\"><\/a><\/p>\n<p>Working with OpenShift (RedHat's Kubernetes distribution), Eviatar Gerz found that he could inject ANSI escape characters (see the following image) into web application components. <\/p>\n<p><img decoding=\"async\" title=\"ANSI Escape Characters \" alt=\"ANSI Escape Characters \" src=\"https:\/\/i.imgur.com\/s9pLxpe.png\"><br \/>ANSI Escape Characters, Source: CyberArc<\/p>\n<p>The ANSI escape characters are then executed by the components &#8211; in the current case, the security researcher used this to change the color of the terminal window used. The question arose as to whether this could be abused for security purposes. Because there is an interesting <a href=\"https:\/\/marc.info\/?l=bugtraq&amp;m=104612710031920&amp;q=p3\" target=\"_blank\" rel=\"noopener\">Advisory von Digital Defense Incorporated<\/a> from 2003 about security issues with terminal emulators. <\/p>\n<h2>Terminal emulators vulnerable<\/h2>\n<p>After investigating the issue, Eviatar Gerz found that many terminal emulators under Windows could be attacked and crashed via ANSI escape characters. At the end of the day, the following findings were available:<\/p>\n<ul>\n<li>Five serious vulnerabilities: <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-28847\" target=\"_blank\" rel=\"noopener\">CVE-2021-28847<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-28848\" target=\"_blank\" rel=\"noopener\">CVE-2021-28848<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-32198\" target=\"_blank\" rel=\"noopener\">CVE-2021-32198<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-33500\" target=\"_blank\" rel=\"noopener\">CVE-2021-33500<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-42095\">CVE-2021-42095<\/a> were discovered. Security researchers have found a way to remotely cause a DoS (Denial of Service) on the terminal client host.\n<li>An ANSI escape character injection vulnerability in OpenShift and Kubernetes (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-25743\" target=\"_blank\" rel=\"noopener\">CVE-2021-25743<\/a>).\n<li>Three additional vulnerabilities: <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-31701\" target=\"_blank\" rel=\"noopener\">CVE-2021-31701<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-37326\" target=\"_blank\" rel=\"noopener\">CVE-2021-37326<\/a> And <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-37326\" target=\"_blank\" rel=\"noopener\">CVE-2021-40147<\/a>. A way to bypass the bracket insertion mode mechanism within Terminals was found.<\/li>\n<\/ul>\n<p>The details of the investigation into customizing the title of Teminal emulator windows via ANSI escape control characters were downright shocking. With minor modifications, the remote DoS attacks could be driven. Here is the list of CVEs of the discovered vulnerabilities<\/p>\n<p><a title=\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/12\/3.Vulnerabilities-in-the-modification-of-window-title.jpg\" href=\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/12\/3.Vulnerabilities-in-the-modification-of-window-title.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"Schwachstellen in Terminalemulatoren\" alt=\"Schwachstellen in Terminalemulatoren\" src=\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/12\/3.Vulnerabilities-in-the-modification-of-window-title.jpg\" width=\"667\" height=\"317\"><\/a><br \/>Vulnerabilities in terminal emulators, source: CyberArc<\/p>\n<p>At the end of the day, the following terminal emulators (and some browsers) could be attacked:<\/p>\n<ul>\n<li><strong>PuTTY<\/strong>:&nbsp; Vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-33500\" target=\"_blank\" rel=\"noopener\">CVE-2021-33500<\/a> can cause the entire machine to freeze, fixed in version 0.75\n<li><strong>MobaXterm:<\/strong> Vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-28847\" target=\"_blank\" rel=\"noopener\">CVE-2021-28847<\/a> l\u00e4sst sich die App einfrieren, korrigiert in Version 21.0 Preview 3\n<li><strong>MinTTY<\/strong> (and <strong>Cygwin<\/strong>): Vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-28848\">CVE-2021-28848<\/a> can cause the entire machine to freeze, fixed in version 3.4.6\n<li><strong>Git:<\/strong> Uses MinTTY, fixed in version 2.30.1\n<li><strong>ZOC: <\/strong>Vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-32198\">CVE-2021-32198<\/a> the app can be frozen, no fix\n<li><strong>XSHELL:&nbsp; <\/strong>Vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-42095\">CVE-2021-42095<\/a> can freeze the entire machine, fixed in version 7.0.0.76<\/li>\n<\/ul>\n<p>The extensive details of the exploitation of these attack paths can be read in the article <a href=\"https:\/\/www.cyberark.com\/resources\/threat-research-blog\/dont-trust-this-title-abusing-terminal-emulators-with-ansi-escape-characters\" target=\"_blank\" rel=\"noopener\">Don't Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Windows offers the possibility to change the window title of windows of a terminal emulator via control characters (ANSI Escape Characters). Some blog readers still know this, was used to adjust colors of a DOS window for example. A security &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/01\/10\/windows-terminal-emulator-titelnderung-fhrt-zu-white-screen-of-death\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,2],"tags":[47,69,194],"class_list":["post-22870","post","type-post","status-publish","format-standard","hentry","category-issue","category-windows","tag-issue","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=22870"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22870\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=22870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=22870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=22870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}