urwid
- <= 24acd12
A vulnerability exists in the Urwid web display backend, specifically in the session ID generation process. The backend uses Python's Mersenne Twister pseudo-random number generator (PRNG) to create web session identifiers. This PRNG is not cryptographically secure, allowing an attacker to predict session IDs. The vulnerability arises because each session ID is generated by concatenating two random numbers from the PRNG, which can be observed through the X-Urwid-ID HTTP response header. An attacker who collects approximately 334 session IDs can reconstruct the internal state of the PRNG and predict all past and future session IDs. Additionally, the session ID is used as the filename for a FIFO (named pipe) created in the world-readable /tmp directory. This exposure allows any local user to enumerate active session tokens directly. With a valid session ID, an attacker can read the victim's terminal screen, inject keystrokes (potentially leading to OS-level code execution if the session runs a shell), and disrupt the session by flooding the FIFO or injecting exit sequences.
Exploitation of this vulnerability allows for unauthorized keystroke injection into active terminal sessions, with the potential for OS-level code execution if the session is running a shell. Additionally, the vulnerability allows for injection of OSC window title commands via the Terminal widget, which could be exploited to manipulate window titles on the host system.
The vulnerability can be reproduced by using the Urwid web display backend in a Python environment. Once the backend is active, the session ID can be observed in the X-Urwid-ID HTTP response header. After collecting approximately 334 session IDs, the internal state of the Mersenne Twister PRNG can be reconstructed, allowing prediction of all session IDs. The predicted session IDs can then be used to access the corresponding terminal sessions, where keystrokes can be injected.
The vulnerability has been addressed in Urwid version 4.0.4, which is available on the project's GitHub releases page.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.