Date: Fri, 11 Sep 1998 09:01:04 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Karl Denninger <karl@denninger.net> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Josef Karthauser <joe@pavilion.net>, Jay Tribick <netadmin@fastnet.co.uk>, freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) Message-ID: <Pine.BSF.3.96.980911085252.5407A-100000@aniwa.sky> In-Reply-To: <19980910133615.A13227@Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Sep 1998, Karl Denninger wrote: > On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > Actually, for VTxxx series terminals (and good emulators of them) as well as > most others, the problem is far worse. > > Most terminals can be made to display something, set the cursor to where the > "something" is, and then *send the line containing the something to the > host*. > > This allows ARBITRARY commands to be accidentially (read: maliciously) > executed by someone doing nothing more than displaying a file! > > This is an OLD trick, but one which still works, and if the person doing the > tricking is crafty it can be particularly dangerous. (Consider that most > termainls also have attributes such as "invisible" text available, and/or > that you can send the line, then back up again and overwrite it). > > I can craft a 40-50 byte sequence that will, if the file is "catted" as > root, give me an instant SUID root shell somewhere on the system that > you're very unlikely to find. Ouch. I'm surprised this doesn't come up more often. this means that the safety of using xterm is dependent on every program you might use protecting you against escape sequences which is never going to be the case. Are there any safe shell-in-a-window alternatives to xterm then? Someone mentioned a possible setting in xterm? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980911085252.5407A-100000>