Date: Thu, 10 Sep 1998 13:36:15 -0500 From: Karl Denninger <karl@denninger.net> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Josef Karthauser <joe@pavilion.net> Cc: Jay Tribick <netadmin@fastnet.co.uk>, freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) Message-ID: <19980910133615.A13227@Mcs.Net> In-Reply-To: <199809101622.MAA09014@khavrinen.lcs.mit.edu>; from Garrett Wollman on Thu, Sep 10, 1998 at 12:22:09PM -0400 References: <Pine.BSF.3.96.980910115926.408V-100000@bofh.fast.net.uk> <19980910144324.B831@pavilion.net> <199809101510.LAA08830@khavrinen.lcs.mit.edu> <19980910165725.N831@pavilion.net> <199809101622.MAA09014@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > <<On Thu, 10 Sep 1998 16:57:25 +0100, Josef Karthauser <joe@pavilion.net> said: > > >> That's why you should normally use `more' or `less'. > > > Ok, but how come the interactions we describe? > > Most terminals, including the VT102 emulated by `xterm', include some > mechanism for generating an ``answerback'' upon receipt of a special > control code or sequence. (In xterm's case, that happens to be a > control-E.) A binary file is likely enough to contain such a code. > > There's might be a preference you can set which will disable this > feature in xterm, but I don't know what it might be (and if there is > one, it's not documented). > > -GAWollman Actually, for VTxxx series terminals (and good emulators of them) as well as most others, the problem is far worse. Most terminals can be made to display something, set the cursor to where the "something" is, and then *send the line containing the something to the host*. This allows ARBITRARY commands to be accidentially (read: maliciously) executed by someone doing nothing more than displaying a file! This is an OLD trick, but one which still works, and if the person doing the tricking is crafty it can be particularly dangerous. (Consider that most termainls also have attributes such as "invisible" text available, and/or that you can send the line, then back up again and overwrite it). I can craft a 40-50 byte sequence that will, if the file is "catted" as root, give me an instant SUID root shell somewhere on the system that you're very unlikely to find. Indiscriminately displaying files without terminal control enforced (ie: by a pager) is EXTREMELY dangerous, especially if you're running with privileges (ie: as root). -- -- Karl Denninger (karl@denninger.net) Voice: 312-803-6271 x219 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980910133615.A13227>