Re: Terminal escape sequences - the new XSS for admins?

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On Tue 2015-08-11 12:23:59 -0400, Kurt Seifried wrote:
> So we've had a bunch of this stuff over the years:
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=terminal+escape
>
> And now more recently:
>
> http://turbochaos.blogspot.ca/2014/08/journalctl-terminal-escape-injection.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1084577
>
> And we have at least one more coming down the pipeline that's pretty
> widespread.
>
> Also I'm thinking of all those docker apps that log to STDOUT.
>
> So the basic TL;DR: please don't use really ancient terminal programs that
> are vulnerable to this stuff. It appears in testing that most (all?) of the
> Red Hat stuff is ok, but I can't speak for other vendors.

Do we have a catalog of terminal programs that are vulnerable, or of
particularly dangerous escape sequences to test with each terminal
emulator?  I'd be happy to try to organize a torches-and-pitchforks run
through the debian archive if i know what to look for.

https://security.stackexchange.com/questions/56307/can-cat-ing-a-file-be-a-potential-security-risk

has some good links and discussion from just last year but nothing
systematized that i can see.

   --dkg