CVE-2023-39150 - Arbitrary Code Execution in ConEmu due to Incomplete Fix for CVE-2022-46387

In this post, we will discuss a recently reported vulnerability with the identifier CVE-2023-39150, which affects ConEmu, a popular console emulator for Windows. This vulnerability stems from an incomplete fix of a previously reported vulnerability, CVE-2022-46387. Users running ConEmu before commit 230724 are potentially vulnerable to arbitrary code execution due to improper sanitization of title responses.

Overview

ConEmu, short for Console Emulator, is a highly versatile terminal emulator application for Windows operating systems. It is designed to facilitate the use of various console applications, including cmd.exe, PowerShell, bash, and more, in a single interface.

The vulnerability in question is a direct result of ConEmu's inefficient sanitization of incoming title responses for control characters. An attacker can exploit this vulnerability to execute arbitrary code on the victim's machine, potentially leading to severe consequences, including data theft and system compromise.

Details

The previous vulnerability, CVE-2022-46387, was intended to be fixed by adding validations to sanitize special characters from incoming title responses. However, it was found that the fix only accounted for a limited set of special characters and can still be bypassed, leading to the current vulnerability, CVE-2023-39150.

To illustrate the problem, let's look at a code snippet showcasing the improper sanitization in ConEmu's source code:

void ApplyNewTitle(LPCWSTR asTitle)
{
    //...
    // Sanitizing control characters
    for (int i = ; i < wcslen(asTitle); ++i)
    {
        if (asTitle[i] < L' ' && asTitle[i] != L'\t')
        {
            // Replace control character with space
            asTitle[i] = L' ';
        }
    }
    //...
}

As seen in the code snippet, the sanitization for control characters is limited to a simple loop, replacing control characters below Unicode codepoint x20 (space) and not equal to \t (tab) with spaces. This process is insufficient and does not cover all possible control characters that can bypass the sanitizer, effectively retaining the vulnerability.

For instance, an adversary can craft a malicious title response containing control characters not targeted by the sanitizer loop, potentially leading to arbitrary code execution.

Exploit and Mitigation

An attacker can exploit this vulnerability by creating a malicious payload containing control characters that bypass the sanitizer loop in ConEmu. This payload can then be used to craft a title response, which, when processed by an affected version of ConEmu, could lead to arbitrary code execution.

To mitigate this vulnerability, users of ConEmu should immediately update to the latest version, which includes commit 230724 or later. This version implements an improved sanitizer, addressing the vulnerability and protecting users from potential exploitation.

References

1. ConEmu GitHub repository
2. CVE-2022-46387 details
3. CVE-2023-39150 details

In conclusion, ConEmu users are advised to keep their software up-to-date, especially considering this recently discovered vulnerability, CVE-2023-39150. The vulnerability is a direct result of an incomplete fix for the previous vulnerability, CVE-2022-46387, which could lead to arbitrary code execution due to improper sanitization of title responses containing control characters.Updating to the latest version of ConEmu, including commit 230724 or later, mitigates this risk.

Timeline

Published on: 09/12/2023 13:15:07 UTC
Last modified on: 10/05/2023 13:14:16 UTC