On Sun, 9 Dec 2001 Valdis.Kletnieksat_private wrote: > I can't *prove* it, but I know the first time I heard of "something > fails to filter ANSI/vt100 control chars" was at my previous employer, > which means it dates back to at least May 89. /.../ So we've reached > the point in computing history where we have younger readers of this > list hearing about bugs that were *first* found before the readers > were even born. Well... We are talking about a specific problem with vt100/ansi-compatible terminal emulation on e.g. Linux. This problem does not affect many other implementations, and is rather simple: \x9b character works the same way as \x1b[, a sequence used, among others, for answerback commands. So, first of all, this is not necessarily the same problem as failure to escape \x1b - this is a new vector of exploiting, and many, many CLI programmers do not realize they should filter it (another problem is that, IIRC, \x9b is used in some valid, non-english codepages, so it is not always fine to simply drop it). And this problem is not extactly the same as, let's say, macro capabilities in some ANSI implementations - a issue known for long years. I think this \x9b issue started to pop up just few years ago, and is still not handled properly in many cases. And finally, I believe that majority of network-based applications still have conditions that allow dumping not escaped data coming from the net to the console, no matter if it is \x1b, \x9b or anything else. Even if applications like ls or ps learned to escape certain characters, we still need to have many programs fixed (Sendmail's mailq, ssh, telnet, nc, many other come to mind). Thus I do not consider stating "this kind of bugs is known for two decades" any good - after all, buffer overflows are known for a longer while, but it does not mean they do not happen, we shouldn't bother reporting new ones, or dismiss new cases ;) Furthermore, noone really investigaed if 'answerback' codes or other control commands on Linux-alike implementations can be successfully exploited to do any harm, so this discussion is pretty valuable. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 10:41:52 PST