Date: Sun, 13 Sep 1998 09:14:53 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Karl Denninger <karl@denninger.net> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Josef Karthauser <joe@pavilion.net>, Jay Tribick <netadmin@fastnet.co.uk>, freebsd-security@FreeBSD.ORG, cschuber@uumail.gov.bc.ca Subject: X Security (was: Re: Err.. cat exploit.. (!)) Message-ID: <199809131615.JAA03746@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 10 Sep 1998 13:36:15 CDT." <19980910133615.A13227@Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > > <<On Thu, 10 Sep 1998 16:57:25 +0100, Josef Karthauser <joe@pavilion.net> s aid: > > > > >> That's why you should normally use `more' or `less'. > > > > > Ok, but how come the interactions we describe? > > > > Most terminals, including the VT102 emulated by `xterm', include some > > mechanism for generating an ``answerback'' upon receipt of a special > > control code or sequence. (In xterm's case, that happens to be a > > control-E.) A binary file is likely enough to contain such a code. > > > > There's might be a preference you can set which will disable this > > feature in xterm, but I don't know what it might be (and if there is > > one, it's not documented). > > > > -GAWollman > > Actually, for VTxxx series terminals (and good emulators of them) as well as > most others, the problem is far worse. > > Most terminals can be made to display something, set the cursor to where the > "something" is, and then *send the line containing the something to the > host*. > > This allows ARBITRARY commands to be accidentially (read: maliciously) > executed by someone doing nothing more than displaying a file! > > This is an OLD trick, but one which still works, and if the person doing the > tricking is crafty it can be particularly dangerous. (Consider that most > termainls also have attributes such as "invisible" text available, and/or > that you can send the line, then back up again and overwrite it). > > I can craft a 40-50 byte sequence that will, if the file is "catted" as > root, give me an instant SUID root shell somewhere on the system that > you're very unlikely to find. > > Indiscriminately displaying files without terminal control enforced (ie: by > a pager) is EXTREMELY dangerous, especially if you're running with > privileges (ie: as root). That is why doing an xhost + or even and xhost hostname even to hosts that you think you trust is so dangerous. It is easy for someone to inject some "keystrokes" into an Xterm to get a root shell on a host that one is logged into. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809131615.JAA03746>