Vulnerability Development mailing list archives
RE: character injecting on linux console
From: "Dom De Vitto" <Dom () DeVitto com>
Date: Sun, 9 Dec 2001 12:40:24 -0000
This one takes me back to 1992, when I got accused, without, I note, any evidence :-) of terminal hijacking. With the help of the ioctl 'TIOCSTI' (aka "insert character into the stream as if it had been typed in"), and SunOS/BSD style TTYs... IIRC, the ANSI/DOS-mode standard allowed for macro definition and execution by just viewing a text file (particularily nasty, because you could set the colours so they coulnd't see what "they" had typed, but on a VT you must type the macro execution code :-( So what are the chaces of: perl -e 'print "\x9E\x9bc"' | write root being cute? (zero, I'd say, but still worth checking) Back in 1992 there were so many tools that didn't escape user-controllable data, biff, mail, ls, who, finger, w, cwd, etc. etc. etc. Dom [ I 'invented' "ResetMail" at my Uni, because tty-based mailers of the time didn't escape/strip the VT100 reset code. Best bit is that they get to see "This email with explode in 3 seconds....." and poof they're tty resets and that usually logged them out :-) ] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd mailto:dom () devitto com Mob. +44 7855 805 271 http://www.devitto.com Fax. +44 8700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message----- From: DFx [mailto:dfx () dfxdesigns com] Sent: 08 December 2001 19:36 To: vuln-dev () securityfocus com Subject: RE: character injecting on linux console I get the same results Distro == Slackware 8.0 Kernel == 2.4.5 TERM == VT100 Shell == Bash dfx@dfx:~$ perl -e 'print "\x9E\x9bc"' dfx@dfx:~$ 6c bash: 6c: command not found dfx@dfx:~$ cat /proc/version Linux version 2.4.5 (root@dfx) (gcc version 2.95.3 20010315 (release)) #3 Sun Nov 11 15:52:54 EST 2001 dfx@dfx:~$ cat /etc/slackware-version 8.0.0 (åtta) dfx@dfx:~$ -----Original Message----- From: Doru Petrescu [mailto:pdoru () kappa ro] Sent: Saturday, December 08, 2001 9:41 AM To: vuln-dev () securityfocus com Subject: character injecting on linux console Hi everybody, One strange thing I found while playing with binary files on my terminal: some special sequences are able to inject characters into my terminal input buffer as if I typed them on the keyboard. on my linux (v2.4.5) TEXT console ($TERM=linux), if I execute: perl -e 'print "\x9E\x9bc"' when the shell returns back to my prompt I will find 2 characters in the command line as I typed them!!! the two of them are: "6c" So, if I press enter, the shell will complain that can't find/execute command "6c". Of cource I can just erase them, and everything will by OK. BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!? Imagine this: You receive an email, you open it with your favourite text mail reader (mail/pine/mutt/etc). the mail contains some unpleasent binary garbage that when the mail program output them to the terminal will trigger something and will INJECT characters into your terminal input buffer, and by doing so INJECTING commands as if YOU typed them from the keyboard. this means that someone could take over your terminal !!! hijacking your shell prompt !!! However, untill now I was only able to inject series of "6c", and I didn't found a way to inject ENTER or something that will trigger the shell to execute the command. more researchis needed. Also this only work on LINUX text CONSOLE. not on Xterm, or something else. 1. Can you guys check if this works on your systems as well ? just execute this cmd: perl -e 'print "\x9E\x9bc"' 2. Can someone explain to me what is happening ? is this a bug in the kernel code that handles terminal output ? can we make it do something else ? (like overwriting memory, etc ...) Best regards, ------ Doru Petrescu KappaNet - Senior Software Engineer E-mail: pdoru () kappa ro LINUX - the choice of the GNU generation
Current thread:
- Re: character injecting on linux console, (continued)
- Re: character injecting on linux console Doru Petrescu (Dec 08)
- Re: character injecting on linux console Michal Zalewski (Dec 08)
- Re: character injecting on linux console Robert van der Meulen (Dec 08)
- Re: character injecting on linux console Nelson Brito (Dec 09)
- Re: character injecting on linux console Michal Zalewski (Dec 09)
- Re: character injecting on linux console Valdis . Kletnieks (Dec 10)
- Re: character injecting on linux console Michal Zalewski (Dec 10)
- Re: character injecting on linux console Robert van der Meulen (Dec 08)
- Re: character injecting on linux console Valkai Elod (Dec 08)
- RE: character injecting on linux console DFx (Dec 08)
- RE: character injecting on linux console Dom De Vitto (Dec 09)