This one takes me back to 1992, when I got accused, without, I note, any evidence :-) of terminal hijacking. With the help of the ioctl 'TIOCSTI' (aka "insert character into the stream as if it had been typed in"), and SunOS/BSD style TTYs... IIRC, the ANSI/DOS-mode standard allowed for macro definition and execution by just viewing a text file (particularily nasty, because you could set the colours so they coulnd't see what "they" had typed, but on a VT you must type the macro execution code :-( So what are the chaces of: perl -e 'print "\x9E\x9bc"' | write root being cute? (zero, I'd say, but still worth checking) Back in 1992 there were so many tools that didn't escape user-controllable data, biff, mail, ls, who, finger, w, cwd, etc. etc. etc. Dom [ I 'invented' "ResetMail" at my Uni, because tty-based mailers of the time didn't escape/strip the VT100 reset code. Best bit is that they get to see "This email with explode in 3 seconds....." and poof they're tty resets and that usually logged them out :-) ] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd mailto:domat_private Mob. +44 7855 805 271 http://www.devitto.com Fax. +44 8700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > -----Original Message----- > From: DFx [mailto:dfxat_private] > Sent: 08 December 2001 19:36 > To: vuln-devat_private > Subject: RE: character injecting on linux console > > > I get the same results > Distro == Slackware 8.0 > Kernel == 2.4.5 > TERM == VT100 > Shell == Bash > > > dfx@dfx:~$ perl -e 'print "\x9E\x9bc"' > dfx@dfx:~$ 6c > bash: 6c: command not found > dfx@dfx:~$ cat /proc/version > Linux version 2.4.5 (root@dfx) (gcc version 2.95.3 20010315 (release)) > #3 Sun Nov 11 15:52:54 EST 2001 > dfx@dfx:~$ cat /etc/slackware-version > 8.0.0 (åtta) > dfx@dfx:~$ > > -----Original Message----- > From: Doru Petrescu [mailto:pdoruat_private] > Sent: Saturday, December 08, 2001 9:41 AM > To: vuln-devat_private > Subject: character injecting on linux console > > > Hi everybody, > > One strange thing I found while playing with binary files on my > terminal: > some special sequences are able to inject characters into my terminal > input buffer as if I typed them on the keyboard. > > on my linux (v2.4.5) TEXT console ($TERM=linux), if I execute: > perl -e 'print "\x9E\x9bc"' > > when the shell returns back to my prompt I will find 2 characters in the > command line as I typed them!!! the two of them are: "6c" > > So, if I press enter, the shell will complain that can't find/execute > command "6c". Of cource I can just erase them, and everything will by > OK. > > BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!? > > Imagine this: You receive an email, you open it with your favourite text > mail reader (mail/pine/mutt/etc). the mail contains some unpleasent > binary > garbage that when the mail program output them to the terminal will > trigger something and will INJECT characters into your terminal > input buffer, and by doing so INJECTING commands as if YOU typed them > from the keyboard. this means that someone could take over your terminal > !!! hijacking your shell prompt !!! > > > However, untill now I was only able to inject series of "6c", and I > didn't > found a way to inject ENTER or something that will trigger the shell to > execute the command. more researchis needed. > Also this only work on LINUX text CONSOLE. not on Xterm, or something > else. > > 1. Can you guys check if this works on your systems as well ? > just execute this cmd: perl -e 'print "\x9E\x9bc"' > > 2. Can someone explain to me what is happening ? > is this a bug in the kernel code that handles terminal output ? can we > make it do something else ? (like overwriting memory, etc ...) > > > Best regards, > ------ > Doru Petrescu > KappaNet - Senior Software Engineer > E-mail: pdoruat_private LINUX - the choice of the GNU > generation > > > >
This archive was generated by hypermail 2b30 : Sun Dec 09 2001 - 10:11:52 PST