RE: character injecting on linux console

["Dom De Vitto" <Dom () DeVitto com>]

This one takes me back to 1992, when I got accused, without, I note, any
evidence :-)
of terminal hijacking.  With the help of the ioctl 'TIOCSTI' (aka "insert
character into the stream as if it had been typed in"), and SunOS/BSD style
TTYs...

IIRC, the ANSI/DOS-mode standard allowed for macro definition and execution
by just viewing a text file (particularily nasty, because you could set the
colours
so they coulnd't see what "they" had typed, but on a VT you must type the
macro
execution code :-(

So what are the chaces of:
        perl -e 'print "\x9E\x9bc"' | write root

being cute? (zero, I'd say, but still worth checking)

Back in 1992 there were so many tools that didn't escape user-controllable
data, biff, mail, ls, who, finger, w, cwd, etc. etc. etc.

Dom
[ I 'invented' "ResetMail" at my Uni, because tty-based mailers of the
  time didn't escape/strip the VT100 reset code.  Best bit is that they
  get to see "This email with explode in 3 seconds....." and poof
  they're tty resets and that usually logged them out :-) ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Dom De Vitto                               Secure Technologies Ltd
  mailto:dom () devitto com                       Mob. +44 7855 805 271
  http://www.devitto.com                       Fax. +44 8700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> -----Original Message-----
> From: DFx [mailto:dfx () dfxdesigns com]
> Sent: 08 December 2001 19:36
> To: vuln-dev () securityfocus com
> Subject: RE: character injecting on linux console
>
>
> I get the same results
> Distro ==  Slackware 8.0
> Kernel ==  2.4.5
> TERM   ==  VT100
> Shell  ==  Bash
>
>
> dfx@dfx:~$ perl -e 'print "\x9E\x9bc"'
> dfx@dfx:~$ 6c
> bash: 6c: command not found
> dfx@dfx:~$ cat /proc/version
> Linux version 2.4.5 (root@dfx) (gcc version 2.95.3 20010315 (release))
> #3 Sun Nov 11 15:52:54 EST 2001
> dfx@dfx:~$ cat /etc/slackware-version
> 8.0.0 (åtta)
> dfx@dfx:~$
>
> -----Original Message-----
> From: Doru Petrescu [mailto:pdoru () kappa ro]
> Sent: Saturday, December 08, 2001 9:41 AM
> To: vuln-dev () securityfocus com
> Subject: character injecting on linux console
>
>
> Hi everybody,
>
> One strange thing I found while playing with binary files on my
> terminal:
> some special sequences are able to inject characters into my terminal
> input buffer as if I typed them on the keyboard.
>
> on my linux (v2.4.5) TEXT console ($TERM=linux), if I execute:
>   perl -e 'print "\x9E\x9bc"'
>
> when the shell returns back to my prompt I will find 2 characters in the
> command line as I typed them!!! the two of them are: "6c"
>
> So, if I press enter, the shell will complain that can't find/execute
> command "6c". Of cource I can just erase them, and everything will by
> OK.
>
> BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!?
>
> Imagine this: You receive an email, you open it with your favourite text
> mail reader (mail/pine/mutt/etc). the mail contains some unpleasent
> binary
> garbage that when the mail program output them to the terminal will
> trigger something and will INJECT characters into your terminal
> input buffer, and by doing so INJECTING commands as if YOU typed them
> from the keyboard. this means that someone could take over your terminal
> !!! hijacking your shell prompt !!!
>
>
> However, untill now I was only able to inject series of "6c", and I
> didn't
> found a way to inject ENTER or something that will trigger the shell to
> execute the command. more researchis needed.
> Also this only work on LINUX text CONSOLE. not on Xterm, or something
> else.
>
> 1. Can you guys check if this works on your systems as well ?
> just execute this cmd: perl -e 'print "\x9E\x9bc"'
>
> 2. Can someone explain to me what is happening ?
> is this a bug in the kernel code that handles terminal output ? can we
> make it do something else ? (like overwriting memory, etc ...)
>
>
> Best regards,
> ------
> Doru Petrescu
> KappaNet - Senior Software Engineer
> E-mail: pdoru () kappa ro              LINUX - the choice of the GNU
> generation