Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 18 Sep 2015 14:02:36 +0200
From: up201407890@...nos.dcc.fc.up.pt
To: oss-security@...ts.openwall.com
Subject: Re: s/party/hack like it's 1999

Date: Thu, 17 Sep 2015 12:33:28 -0430
From: Manuel Gómez <targen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: s/party/hack like it's 1999

On Thu, Sep 17, 2015 at 12:33:28 AM, <targen@...il.com> wrote:
> On Thu, Sep 17, 2015 at 11:33 AM,  <up201407890@...nos.dcc.fc.up.pt> wrote:
>> Federico Bento <up201407890@...nos.dcc.fc.up.pt>
>>
>> […]
>>
>> As you can see, our beloved 'cat' cheated on us. Why?
>> Because instead of displaying the character-sequence, the escape sequence
>> \033[XA (being X the number of times) performed some action.
>> And this action moves the cursor up X times, overwriting what is above it X
>> lines.
>> But this doesn't affect only 'cat', it affects everything that interprets
>> escape sequences.
>>
>> [… examples with head, tail, more, curl, wget …]
>>
>> 'diff' also interprets escape sequences and so do the resulting patches
>>
>> [… examples with diff …]
>>
>> Hint:
>> 'less' doesn't interpret escape sequences unless the -r switch is used,
>> so stop aliasing it to 'less -r' just because there's no colored output.

> Not a single one of those programs does anything to its input that
> ought to be considered any form of interpretation in the sense you
> imply.  They simply produce outputs that correspond to their inputs.
> If that output is later presented to a terminal emulator, *then* some
> characters happen to produce effects that go beyond simply displaying
> them as glyphs on a screen, one by one.
>
> There is absolutely nothing wrong with `head`, `tail`, `more`, `curl`,
> `wget` or `diff`.  They are not meant to “interpret” anything of the
> sort that is being addressed, and indeed they do not.  `less` *does*
> have special processing rules active by default for input sequences
> that would cause terminals to do anything special; indeed, the default
> behaviour of `less`, without the `-r` option, is the only mentioned
> behaviour that may be considered a form of interpretation.

Yes, that is correct. I should have rephrased that better, thanks for  
clearing that up.

>> It's no secret, most of us rely on 'cat' to view files. I guess this is one
>> black kitty, giving you bad luck.
>
> Perhaps “most of us” should use `view` to view files.

Also correct. There are several ways one can go about this, but the  
point is, do people actually do that? Do they take that extra care  
sometimes? :)

I'd also like to point out that the title should've been  
"s/party/hack/ like it's 1999", I guess that's what you get when  
you're trying to write up things fast, but that's not really the point  
of the post ;-)



Quoting "Cliff Perry" <cperry@...hat.com>:

>> Interesting. I woul advocate usage of something like cat -A.
>>  - something I learned to find end of line chars.
>>
>> [cperry@...rry ~]$ printf '#!/bin/bash\necho doing something  
>> evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh
>> [cperry@...rry ~]$ chmod +x backdoor.sh
>> [cperry@...rry ~]$ cat backdoor.sh
>> #!/bin/bash
>> echo doing something very nice!
>> [cperry@...rry ~]$ cat -A backdoor.sh
>> #!/bin/bash$
>> echo doing something evil!$
>> exit$
>> ^[[2Aecho doing something very nice!$
>> [cperry@...rry ~]$
>>
>> Also, my terminal prompt jumped a line when doing the normal cat.
>>
>> Cliff

Yes, there are several ways to go about this, but the point is that  
'cat -A file' isn't something that people do in their day to day lives!

I believe some adjustments to the script would make it not jump a line  
for other terminal emulators.


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.