oss-sec mailing list archives
Re: terminal emulators' processing of escape sequences
From: Simon Lees <sflees () suse de>
Date: Thu, 18 May 2017 08:35:40 +0930
On 05/02/2017 02:14 AM, Solar Designer wrote:
Hi, It is a well-known feature, previously discussed in here, that data printed to a terminal (emulator) may control that terminal, including making it effectively unusable until reset, and in some cases even pasting characters as if they were typed by the user. Also as discussed what characters may be pasted varies by terminal - sometimes they can be arbitrary (e.g., if the terminal supports macro recording and playback via escape sequences) and sometimes not so (like a terminal reporting back its status, usually not followed by a linefeed, so not yet executing a shell command until further user assistance). Here are some relevant threads: http://www.openwall.com/lists/oss-security/2015/08/11/8 http://www.openwall.com/lists/oss-security/2015/09/17/5 http://www.openwall.com/lists/oss-security/2016/11/04/12 (I link to messages that started these threads, not necessarily to most informative messages in the threads. So you might want to go through the threads with the "thread-next" links.) Besides (mis)features, there may also be implementation bugs. A couple of weeks ago, I brought in here vulnerabilities in terminal escape handling in minicom and prl-vzvncserver (both already fixed in latest versions by then): http://www.openwall.com/lists/oss-security/2017/04/18/5 I already knew this wouldn't be the end of the story as some other terminal emulators exhibited suspicious behavior when targeted with streams of unusual escape sequences involving large or negative integer parameters. I sent the following to the distros list on April 17, presented here with updates reflecting the current status. terminology: --- ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x ---
For reference terminology was fixed with this commit https://phab.enlightenment.org/rTRM63d65ed4bb06094e6a8b6cafdc7c4cbfc62dd677 Thanks -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: terminal emulators' processing of escape sequences, (continued)
- Re: terminal emulators' processing of escape sequences Tavis Ormandy (May 19)
- Re: terminal emulators' processing of escape sequences Solar Designer (May 17)
- Re: terminal emulators' processing of escape sequences Marc Lehmann (May 17)
- rxvt-unicode "insecure" setting [Was: terminal emulators' processing of escape sequences] Ian Zimmerman (May 17)
- Re: terminal emulators' processing of escape sequences Dominique Martinet (May 17)
- Re: terminal emulators' processing of escape sequences Steve Kemp (May 02)
- Re: terminal emulators' processing of escape sequences Solar Designer (May 02)
- Re: terminal emulators' processing of escape sequences Guido Berhoerster (May 03)
- Re: terminal emulators' processing of escape sequences Shiz (May 08)
- Re: terminal emulators' processing of escape sequences Ryan Munz (May 08)
- Re: terminal emulators' processing of escape sequences Simon Lees (May 17)