RE: character injecting on linux console

From: DFx (dfxat_private)
Date: Sat Dec 08 2001 - 11:36:21 PST

Next message: Minchu Mo: "Re: buffer overflow question"

Previous message: Valkai Elod: "Re: character injecting on linux console"
In reply to: Doru Petrescu: "character injecting on linux console"
Next in thread: Dom De Vitto: "RE: character injecting on linux console"
Reply: Dom De Vitto: "RE: character injecting on linux console"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I get the same results
Distro ==  Slackware 8.0
Kernel ==  2.4.5 
TERM   ==  VT100
Shell  ==  Bash


dfx@dfx:~$ perl -e 'print "\x9E\x9bc"'
dfx@dfx:~$ 6c
bash: 6c: command not found
dfx@dfx:~$ cat /proc/version
Linux version 2.4.5 (root@dfx) (gcc version 2.95.3 20010315 (release))
#3 Sun Nov 11 15:52:54 EST 2001
dfx@dfx:~$ cat /etc/slackware-version
8.0.0 (åtta)
dfx@dfx:~$

-----Original Message-----
From: Doru Petrescu [mailto:pdoruat_private] 
Sent: Saturday, December 08, 2001 9:41 AM
To: vuln-devat_private
Subject: character injecting on linux console


Hi everybody,

One strange thing I found while playing with binary files on my
terminal:
some special sequences are able to inject characters into my terminal
input buffer as if I typed them on the keyboard.

on my linux (v2.4.5) TEXT console ($TERM=linux), if I execute:
  perl -e 'print "\x9E\x9bc"'

when the shell returns back to my prompt I will find 2 characters in the
command line as I typed them!!! the two of them are: "6c"

So, if I press enter, the shell will complain that can't find/execute
command "6c". Of cource I can just erase them, and everything will by
OK.

BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!?

Imagine this: You receive an email, you open it with your favourite text
mail reader (mail/pine/mutt/etc). the mail contains some unpleasent
binary
garbage that when the mail program output them to the terminal will
trigger something and will INJECT characters into your terminal
input buffer, and by doing so INJECTING commands as if YOU typed them
from the keyboard. this means that someone could take over your terminal
!!! hijacking your shell prompt !!!


However, untill now I was only able to inject series of "6c", and I
didn't
found a way to inject ENTER or something that will trigger the shell to
execute the command. more researchis needed.
Also this only work on LINUX text CONSOLE. not on Xterm, or something
else.

1. Can you guys check if this works on your systems as well ?
just execute this cmd: perl -e 'print "\x9E\x9bc"'

2. Can someone explain to me what is happening ?
is this a bug in the kernel code that handles terminal output ? can we
make it do something else ? (like overwriting memory, etc ...)


Best regards,
------
Doru Petrescu
KappaNet - Senior Software Engineer
E-mail: pdoruat_private		 LINUX - the choice of the GNU
generation

Next message: Minchu Mo: "Re: buffer overflow question"
Previous message: Valkai Elod: "Re: character injecting on linux console"
In reply to: Doru Petrescu: "character injecting on linux console"
Next in thread: Dom De Vitto: "RE: character injecting on linux console"
Reply: Dom De Vitto: "RE: character injecting on linux console"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Dec 08 2001 - 14:15:19 PST