Date: Thu, 10 Sep 1998 19:46:10 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: 026809r@dragon.acadiau.ca (Michael Richards) Cc: security@FreeBSD.ORG Subject: Re: cat exploit Message-ID: <4712.905449570@critter.freebsd.dk> In-Reply-To: Your message of "Thu, 10 Sep 1998 13:14:53 -0300." <199809101614.NAA07518@dragon.acadiau.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199809101614.NAA07518@dragon.acadiau.ca>, Michael Richards writes: >Hi. > >Is it just me or did everyone miss the point of Jay's message? > >What would happen if I created a file called README that was binary. Since >Jay accidentally had the cat'd sendmail.st execute the command "xtermxterm" >then wouldn't it be possible to create a file (like the README) the people >would be tricked into catting that would run commands as them? What happens here is that a specific esc-mumble sequence prompts the terminal to identify itself, hence the xterm response. This is a very old exploit, it worked on all async terminals that could program the function keys by escape sequences. You'd get the key closest to ESC to send something like: chmod 6777 /some/file/I/have/waiting/for/the/victim echo -n 'whatever it takes to clear the screen' exit 0 and next time the victim almost hit ESC in vi, you had a shell to his account waiting for you. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4712.905449570>