Re: A new class of security vulns?

[Scott Arciszewski <scott () paragonie com>]

On Thu, Jul 30, 2015 at 11:33 AM, Kurt Seifried <kseifried () redhat com> wrote:
> So in past we have had vulns around injection of terminal control
> characters into log files:
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=terminal+escape
>
> However now I'm seeing flaws around printing/display of user data, e.g.
> systems where a user can set their own name, but fills it with backspace
> characters, so when an admin looks at the text record it is
> mangled/shows something the attacker wants them to see and not the
> "True" data.
>
> An example of this is:
>
> https://fedorahosted.org/freeipa/ticket/5153
>
> assuming there are no actual terminal escape sequences allowed, but just
> backspace characters/etc, is this worthy of a CVE? Right now it
> definitely allows manipulation of displayed data, and if an admin cuts
> and pastes it would potentially be just the modified data, so I'm
> thinking there is an integrity impact (not a very big one mind you), but
> it's quite limited (at least as I understand the issue right now).
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: secalert () redhat com

How would you exploit it? By adding a special command to someone's
terminal inputs (i.e. a backdoored version of fixubuntu.org that adds
a public key to /root/.ssh/authorized_keys) and then hiding it
afterwards?

It's worth exploring, but I'm not sold on the practicality.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>