Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 22 Apr 2016 06:57:37 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: s/party/hack like it's 1999

On Thu, Apr 21, 2016 at 09:45:59PM +0200, Jakub Wilk wrote:
> * up201407890@...nos.dcc.fc.up.pt, 2015-09-17, 18:03:
> >'less' doesn't interpret escape sequences unless the -r switch is used, 
> >so stop aliasing it to 'less -r' just because there's no colored 
> >output.
> 
> As somebody else noted, it should be s/doesn't interpret/neutralizes/ or 
> something. But that doesn't mean you should feel safe if you don't use 
> -r.
> 
> For example, when git automatically spawns a pager, it puts R in the 
> LESS environment variable. (That would be fine if git escaped \033 
> before passing them to the pager, but it doesn't. Oddly, it does seem to 
> escape other control characters.) Now, -R is less convenient than -r for 
> hiding malicious code, but you could still set foreground and background 
> to black in hope that the victim's terminal background is also black.
> 
> But even without -r or -R, one can use backspace characters to hide evil 
> payload:

Right.  less has the -U option to prevent that.  And yes, it's too many
options to remember, unfortunately.  Safe(r) use of less was previously
discussed here:

http://www.openwall.com/lists/oss-security/2015/09/03/9

To view untrusted text files, use "less -nU".  Instead of "tail -f", use
"less -nUEX +F".  Setting up aliases may help.

This assumes that your distro didn't setup a script in LESSOPEN that
would do something dangerous for the given filename/suffix.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ