Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 22 Apr 2016 06:57:37 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: s/party/hack like it's 1999

On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote:
> * up201407890@...nos.dcc.fc.up.pt, 2015-09-17, 18:03:
> >'less' doesn't interpret escape sequences unless the -r switch is used, 
> >so stop aliasing it to 'less -r' just because there's no colored 
> >output.
> 
> As somebody else noted, it should be s/doesn't interpret/neutralizes/ or 
> something. But that doesn't mean you should feel safe if you don't use 
> -r.
> 
> For example, when git automatically spawns a pager, it puts R in the 
> LESS environment variable. (That would be fine if git escaped \033 
> before passing them to the pager, but it doesn't. Oddly, it does seem to 
> escape other control characters.) Now, -R is less convenient than -r for 
> hiding malicious code, but you could still set foreground and background 
> to black in hope that the victim's terminal background is also black.
> 
> But even without -r or -R, one can use backspace characters to hide evil 
> payload:

Right.  less has the -U option to prevent that.  And yes, it's too many
options to remember, unfortunately.  Safe(r) use of less was previously
discussed here:

http://www.openwall.com/lists/oss-security/2015/09/03/9

To view untrusted text files, use "less -nU".  Instead of "tail -f", use
"less -nUEX +F".  Setting up aliases may help.

This assumes that your distro didn't setup a script in LESSOPEN that
would do something dangerous for the given filename/suffix.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.