splitvt Format String Vulnerability

splitvt is a VT100 window splitter, designed to allow the user two command line interfaces in one terminal window, originally written by Sam Lantinga. It is freely available, open source, and included with many variants of the Linux Operating System.

A problem in the program could allow for a format string attack. The problem occurs in the handling of format strings by the -rcfile command line flag. By placing shellcode in the $HOME environment variable, and generating a custom crafted request to the splitvt program it is possible to overwrite variables on the stack, and arbitrarily execute code contained in the $HOME environment variable. This makes it possible for a user with malicious motives to execute arbitrary code, and in implementations with the splitvt binary installed SUID root, gain administrative privileges. There are also various reported buffer overflows in the code. These have been addressed in the new release.


Privacy Statement
Copyright 2010, SecurityFocus