Date: Fri, 11 Sep 1998 16:07:22 +1000 (EST) From: proff@iq.org To: ben@rosengart.com Cc: bugtraq@netspace.com Subject: Re: cat exploit Message-ID: <19980911060722.18124.qmail@iq.org> In-Reply-To: <Pine.GSO.4.02.9809110115070.27098-100000@echonyc.com> from Snob Art Genre at "Sep 11, 98 01:26:11 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, 10 Sep 1998, Jamie Lawrence wrote: > > > At 03:01 PM 9/10/98 -0500, Aleph One wrote: > > > > >How about something more practical? Like being able to turn off this > > >"feature". > > > > "rm /bin/cat" > > Cat has little to do with the issue under discussion, despite the > subject line. Escape sequences can come from talk requests, naive > write(1)-like programs or naive network clients (I have seen the first > two, and the third is likely). > > Unless I missed it, nobody has defended the xterm feature in question on > any basis except that that's how it's always been done. I also didn't > notice any reports of recent exploits. > > I'd like to hear a wider variety of opinions on the matter -- in > particular, I wonder if anyone still uses the feature for anything, and > if it's been exploited. I don't understand why you're so dismissive > about it. > > > Ben It's amusing to see this come up again. Several years ago I discovered various amusing tricks one can do with xterm escape sequences (as opposed to vt52/esprit etc which is what everyone else is really yamming on about, but which actually has little to no relevance to xterms -- at least in terms of how one goes about exploiting the dang things). The `xtermxtermxterm' people are seeing after catting binary files is merely a response to ASCII enq (enquire) (^e). It is harmless and simply prompts the terminal to send back it's terminal type (in this case `xterm'). STOP WORRING ABOUT IT. However, using combinations of other escape codes, one can cause xterms (particularly X consortium derived xterms) to do everything from sending back semi-arbitary bytes (I say `semi-arbitary', because I wasn't able to find a way of storing all byte sequences - control codes and a few other characters are not in the running) to writing arbitary files. Yes, you read that right. talkd(8), elm(1), and mail(1) together with an xterm are your friends (well, someone's friends). Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980911060722.18124.qmail>