Re: character injecting on linux console

From: Michal Zalewski (lcamtufat_private)
Date: Sun Dec 09 2001 - 18:21:33 PST

Next message: Minchu Mo: "Why MS namedpipe work this way"

Previous message: Valdis.Kletnieksat_private: "Re: character injecting on linux console"
In reply to: Valdis.Kletnieksat_private: "Re: character injecting on linux console"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 9 Dec 2001 Valdis.Kletnieksat_private wrote:

> I can't *prove* it, but I know the first time I heard of "something
> fails to filter ANSI/vt100 control chars" was at my previous employer,
> which means it dates back to at least May 89. /.../ So we've reached
> the point in computing history where we have younger readers of this
> list hearing about bugs that were *first* found before the readers
> were even born.

Well... We are talking about a specific problem with vt100/ansi-compatible
terminal emulation on e.g. Linux. This problem does not affect many other
implementations, and is rather simple: \x9b character works the same way
as \x1b[, a sequence used, among others, for answerback commands. So,
first of all, this is not necessarily the same problem as failure to
escape \x1b - this is a new vector of exploiting, and many, many CLI
programmers do not realize they should filter it (another problem is that,
IIRC, \x9b is used in some valid, non-english codepages, so it is not
always fine to simply drop it). And this problem is not extactly the same
as, let's say, macro capabilities in some ANSI implementations - a issue
known for long years. I think this \x9b issue started to pop up just few
years ago, and is still not handled properly in many cases.

And finally, I believe that majority of network-based applications still
have conditions that allow dumping not escaped data coming from the net to
the console, no matter if it is \x1b, \x9b or anything else. Even if
applications like ls or ps learned to escape certain characters, we still
need to have many programs fixed (Sendmail's mailq, ssh, telnet, nc, many
other come to mind). Thus I do not consider stating "this kind of bugs is
known for two decades" any good - after all, buffer overflows are known
for a longer while, but it does not mean they do not happen, we shouldn't
bother reporting new ones, or dismiss new cases ;)

Furthermore, noone really investigaed if 'answerback' codes or other
control commands on Linux-alike implementations can be successfully
exploited to do any harm, so this discussion is pretty valuable.

-- 
_____________________________________________________
Michal Zalewski [lcamtufat_private] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/

Next message: Minchu Mo: "Why MS namedpipe work this way"
Previous message: Valdis.Kletnieksat_private: "Re: character injecting on linux console"
In reply to: Valdis.Kletnieksat_private: "Re: character injecting on linux console"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 10:41:52 PST