From owner-freebsd-security Thu Sep 10 11:36:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26326 for freebsd-security-outgoing; Thu, 10 Sep 1998 11:36:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26311 for ; Thu, 10 Sep 1998 11:36:25 -0700 (PDT) (envelope-from karl@Jupiter.Mcs.Net) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id NAA17517; Thu, 10 Sep 1998 13:36:16 -0500 (CDT) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) id NAA13435; Thu, 10 Sep 1998 13:36:15 -0500 (CDT) Message-ID: <19980910133615.A13227@Mcs.Net> Date: Thu, 10 Sep 1998 13:36:15 -0500 From: Karl Denninger To: Garrett Wollman , Josef Karthauser Cc: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) References: <19980910144324.B831@pavilion.net> <199809101510.LAA08830@khavrinen.lcs.mit.edu> <19980910165725.N831@pavilion.net> <199809101622.MAA09014@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199809101622.MAA09014@khavrinen.lcs.mit.edu>; from Garrett Wollman on Thu, Sep 10, 1998 at 12:22:09PM -0400 Organization: Karl's Sushi and Packet Smashers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > < said: > > >> That's why you should normally use `more' or `less'. > > > Ok, but how come the interactions we describe? > > Most terminals, including the VT102 emulated by `xterm', include some > mechanism for generating an ``answerback'' upon receipt of a special > control code or sequence. (In xterm's case, that happens to be a > control-E.) A binary file is likely enough to contain such a code. > > There's might be a preference you can set which will disable this > feature in xterm, but I don't know what it might be (and if there is > one, it's not documented). > > -GAWollman Actually, for VTxxx series terminals (and good emulators of them) as well as most others, the problem is far worse. Most terminals can be made to display something, set the cursor to where the "something" is, and then *send the line containing the something to the host*. This allows ARBITRARY commands to be accidentially (read: maliciously) executed by someone doing nothing more than displaying a file! This is an OLD trick, but one which still works, and if the person doing the tricking is crafty it can be particularly dangerous. (Consider that most termainls also have attributes such as "invisible" text available, and/or that you can send the line, then back up again and overwrite it). I can craft a 40-50 byte sequence that will, if the file is "catted" as root, give me an instant SUID root shell somewhere on the system that you're very unlikely to find. Indiscriminately displaying files without terminal control enforced (ie: by a pager) is EXTREMELY dangerous, especially if you're running with privileges (ie: as root). -- -- Karl Denninger (karl@denninger.net) Voice: 312-803-6271 x219 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message