From owner-freebsd-security Thu Sep 10 09:44:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02116 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:44:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02044 for ; Thu, 10 Sep 1998 09:44:51 -0700 (PDT) (envelope-from patl@phoenix.volant.org) From: patl@phoenix.volant.org Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with smtp (Exim 1.92 #8) id 0zH9pq-0003Ph-00; Thu, 10 Sep 1998 09:44:42 -0700 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id JAA25278; Thu, 10 Sep 1998 09:44:38 -0700 Date: Thu, 10 Sep 1998 09:44:38 -0700 (PDT) Reply-To: patl@phoenix.volant.org Subject: Re: Err.. cat exploit.. (!) To: Jay Tribick cc: freebsd-security@FreeBSD.ORG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It's not the fact that it was a binary that puzzled me but that > it had managed to execute a command on the shell just by me > cat'ing the file. Forgot to mention that it was in an xterm > and doesn't affect Virtual Consoles. It's primarily a matter of which escape and other control sequences the terminal (emulator) recognizes; although, I believe you can also get different results based on different terminal (stty) settings. A particularly fun one occurs when you have XON/XOFF enabled and the file contains a bunch of 0x13s. You can also irritate your whole office by cat'ing a file with a few thousand 0x07 (BEL) chars. (Usually, they will be buffered up so that even quickly killing the cat won't stop the noise for a while. Or at least I think that is what happened...) -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message