From owner-freebsd-security  Thu Sep 10 14:04:55 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA25968
          for freebsd-security-outgoing; Thu, 10 Sep 1998 14:04:55 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (pppk-10.igrin.co.nz [202.49.245.89])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA25953
          for <freebsd-security@FreeBSD.ORG>; Thu, 10 Sep 1998 14:04:51 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id JAA05560;
	Fri, 11 Sep 1998 09:01:04 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Fri, 11 Sep 1998 09:01:04 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Karl Denninger <karl@denninger.net>
cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
        Josef Karthauser <joe@pavilion.net>,
        Jay Tribick <netadmin@fastnet.co.uk>, freebsd-security@FreeBSD.ORG
Subject: Re: Err.. cat exploit.. (!)
In-Reply-To: <19980910133615.A13227@Mcs.Net>
Message-ID: <Pine.BSF.3.96.980911085252.5407A-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 10 Sep 1998, Karl Denninger wrote:

> On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote:

> Actually, for VTxxx series terminals (and good emulators of them) as well as
> most others, the problem is far worse.
> 
> Most terminals can be made to display something, set the cursor to where the
> "something" is, and then *send the line containing the something to the
> host*.
> 
> This allows ARBITRARY commands to be accidentially (read: maliciously) 
> executed by someone doing nothing more than displaying a file!
> 
> This is an OLD trick, but one which still works, and if the person doing the
> tricking is crafty it can be particularly dangerous.  (Consider that most
> termainls also have attributes such as "invisible" text available, and/or
> that you can send the line, then back up again and overwrite it).
> 
> I can craft a 40-50 byte sequence that will, if the file is "catted" as
> root, give me an instant SUID root shell somewhere on the system that 
> you're very unlikely to find.

Ouch.  I'm surprised this doesn't come up more often.  this means that the
safety of using  xterm is dependent on every program you might use
protecting you against escape sequences which is never going to be the
case.  

Are there any safe shell-in-a-window alternatives to xterm then?  Someone
mentioned a possible setting in xterm?

Andrew




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message