On Sat, 8 Dec 2001, Doru Petrescu wrote: > One strange thing I found while playing with binary files on my > terminal: some special sequences are able to inject characters into my > terminal input buffer as if I typed them on the keyboard. I think this issue popped up several times on BUGTRAQ few years ago... This is a pretty interesting issue, because e.g. pine used to escape such characters improperly (not sure if this is still any problem, I reported it a while ago). > So, if I press enter, the shell will complain that can't find/execute > command "6c". Of cource I can just erase them, and everything will by > OK. > > BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!? # The System V Release 4 and XPG4 terminfo format defines ten string # capabilities for use by applications, <u0>...<u9>. In this file, we use # certain of these capabilities to describe functions which are not covered # by terminfo. The mapping is as follows: # # u9 terminal enquire string (equiv. to ANSI/ECMA-48 DA) # u8 terminal answerback description # u7 cursor position request (equiv. to VT100/ANSI/ECMA-48 DSR 6) # u6 cursor position report (equiv. to ANSI/ECMA-48 CPR) # # The terminal enquire string <u9> should elicit an answerback response # from the terminal. Common values for <u9> will be ^E (on older ASCII # terminals) or \E[c (on newer VT100/ANSI/ECMA-48-compatible terminals). # # The cursor position request (<u7>) string should elicit a cursor position # report. A typical value (for VT100 terminals) is \E[6n. # # The terminal answerback description (u8) must consist of an expected # answerback string. The string may contain the following scanf(3)-like # escapes: # # %c Accept any character # %[...] Accept any number of characters in the given set # %d format elements. The first of these must correspond to the Y coordinate # and the second to the %d. If the string contains the sequence %i, it is # taken as an instruction to decrement each value after reading it (this is # the inverse sense from the cup string). The typical CPR value is # \E[%i%d;%dR (on VT100/ANSI/ECMA-48-compatible terminals). # # These capabilities are used by tac(1m), the terminfo action checker # (distributed with ncurses 5.0). > However, untill now I was only able to inject series of "6c", and I didn't > found a way to inject ENTER or something that will trigger the shell to > execute the command. more researchis needed. Well, documentation can be more helpful ;) Basically, I wouldn't call it a bug in the terminal emulation code - it is a documented feature. On the other hand, many people are not aware of it, so it happens that mail readers etc do not expand certain sequences properly. I failed to find any program that can be effectively exploited by issuing a very limited set of commands (6c, ;something, etc), but probably if you search carefully enough, you'll find something :> -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Sat Dec 08 2001 - 10:30:28 PST