Date: Fri, 20 Oct 2023 01:44:10 +0300 From: Turistu <turistu@...il.com> To: oss-security@...ts.openwall.com Subject: Re: with firefox on X11, any page can pastejack you anytime On Thu, Oct 19, 2023 at 04:53:55PM +0000, Jeremy Stanley wrote: > On 2023-10-19 17:04:10 +0100 (+0100), Sam Bull wrote: > [...] > > Also a problem with shell security. If you paste something with That's not a problem with "shell security". Paste is just a form of **trusted user input** (just as keyboard input). The bracketed-paste and other features are for convenience, they're not supposed to help against a rogue X11 app (who could just as well simulate keyboard input with the XTest X11 extension instead of complicating itself with setting up selections that the user has to paste). > > line breaks into bash, it executes them. If you paste the same > > into fish, it doesn't (it'll display the multi-line input and > > expect you to hit the enter key to execute it as a command). > > That observation may be outdated. At least my bash 5.2.15 on Debian > does not execute pasted newlines, it treats it as a multi-line > command and waits for an actual enter keypress Indeed, as already described in my report. Bracketed-paste is the default in bash on all recent systems. > (tested inside a few > different terminal emulators including vanilla xterm, so pretty sure > it's not being mitigated at that layer). It pretty much **is** mitigated at that layer. If xterm itself weren't filtering out the ESC (ascii 0x1b) character in the pasted data, then the bracketed-paste feature of bash or zsh could've been easily bypassed by inserting a "\x1b[201~" escape (= end of pasted data) in the payload. (As already mentioned in the report too). Anyways, the examples were meant just as ... examples, as like for illustration. I've just chosen them because they were the simplest and cutest. But there are a thousand more ways for an attacker to leverage that hole in Firefox. Many programs (including Firefox itself!) could be easily crashed by garbage data from the clipboard. Attacker-controlled data could find its way into shell scripts via `var=$(xsel)`, etc.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.