From owner-freebsd-security  Thu Sep 10 10:53:41 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA15852
          for freebsd-security-outgoing; Thu, 10 Sep 1998 10:53:41 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15843
          for <security@FreeBSD.ORG>; Thu, 10 Sep 1998 10:53:38 -0700 (PDT)
          (envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id TAA04714;
	Thu, 10 Sep 1998 19:46:11 +0200 (CEST)
To: 026809r@dragon.acadiau.ca (Michael Richards)
cc: security@FreeBSD.ORG
Subject: Re: cat exploit 
In-reply-to: Your message of "Thu, 10 Sep 1998 13:14:53 -0300."
             <199809101614.NAA07518@dragon.acadiau.ca> 
Date: Thu, 10 Sep 1998 19:46:10 +0200
Message-ID: <4712.905449570@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <199809101614.NAA07518@dragon.acadiau.ca>, Michael Richards writes:
>Hi.
>
>Is it just me or did everyone miss the point of Jay's message?
>
>What would happen if I created a file called README that was binary. Since
>Jay accidentally had the cat'd sendmail.st execute the command "xtermxterm"
>then wouldn't it be possible to create a file (like the README) the people
>would be tricked into catting that would run commands as them?

What happens here is that a specific esc-mumble sequence prompts the
terminal to identify itself, hence the xterm response.

This is a very old exploit, it worked on all async terminals that
could program the function keys by escape sequences.  You'd get the
key closest to ESC to send something like:

	chmod 6777 /some/file/I/have/waiting/for/the/victim
	echo -n 'whatever it takes to clear the screen'
	exit 0

and next time the victim almost hit ESC in vi, you had a shell to
his account waiting for you.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message