From owner-freebsd-security  Thu Sep 10 12:51:58 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA09521
          for freebsd-security-outgoing; Thu, 10 Sep 1998 12:51:58 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from hwhlap.hjns.net (hwhlap.hjns.net [207.213.153.54])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA09506
          for <security@freebsd.org>; Thu, 10 Sep 1998 12:51:47 -0700 (PDT)
          (envelope-from hwh@hwhlap.hjns.net)
Received: from hwhlap.hjns.net (localhost [127.0.0.1])
	by hwhlap.hjns.net (8.8.8/8.8.8) with ESMTP id MAA03493
	for <security@freebsd.org>; Thu, 10 Sep 1998 12:51:38 -0700 (PDT)
	(envelope-from hwh@hwhlap.hjns.net)
Message-Id: <199809101951.MAA03493@hwhlap.hjns.net>
To: security@FreeBSD.ORG
Subject: Re: cat exploit
Date: Thu, 10 Sep 1998 12:51:37 -0700
From: Harold Hankins <hwh@hjns.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Jay Tribick <netadmin@fastnet.co.uk> wrote:
>> That's exactly what I was saying - just for example, say your installing
>> something as root you usually cat the file INSTALL to find out what
>> you need to do - it would be relatively simple to embed a command
i>> n there to just rm -rf / & your hd!

One of the first rules of unix admin is NEVER cat a file to your terminal.
This is an old security hole, I thought everyone knew about it.  Maybe
its been too long since it was exploited and its been forgotten.

A little background for newcomers to unix administration:
Most terminals had escape sequences not only to answerback but also
to send all or part of the screen contents back to the host.  This was
used to allow us to write "forms" on the screen, let the user fill it in,
and then let the program ask the terminal to send the answers back
to it for processing.  It was also used to allow us to read back the 
contents of the screen so we could send it to lpr to do a screen print.

It also opened up the possibility of abuse by embedding the escape
sequences in text files as you found.  We also sometimes cat'ed the 
escape sequences to other peoples terminals by using a command
like 'cat abc.txt >/dev/tty1a' to send commands to other peoples terminals.
Mostly it was harmless fun like sending hundreds of bell characters
but some people actually sent commands to delete files or do other 
nasty things.

Harold Hankins <hwh@hjns.net>
--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message