oss-sec mailing list archives
Re: CVE request: screen stack overflow (deep recursion)
From: Kuang-che Wu <kcwu () csie org>
Date: Fri, 4 Sep 2015 02:42:20 +0800
On Thu, Sep 03, 2015 at 02:16:34PM +0300, Solar Designer wrote:
On Thu, Sep 03, 2015 at 09:36:29AM +0300, Solar Designer wrote:On Thu, Sep 03, 2015 at 05:25:11AM +0000, Fiedler Roman wrote:What about "tail -f /var/log/syslog", Apache or other kind of logs for debugging? [Yes, that's often how logs are running over the screen in videos when talking about IT-security]. It's convenient and I'm using screen exactly to avoid any injection of commands via TIOCSTI into my current TTY when a context switch is needed before starting tail, e.g. when working with LXC containers."tail -f" on a log file is indeed very common, but it is bad practice (akin to other very common bad practices like a sysadmin going into a user's homedir as root). A safer alternative in terms of terminal escapes is the "F" keypress in "less -nU" (or in "less -nUEX" to more closely resemble "tail -f"). Unfortunately, I am not aware of a command-line option that would do this (that is, assume that "F" was pressed right away) - perhaps one should be added, if it's not already in there.Dmitry V. Levin pointed out to me off-list that less already provides a way to specify its normally interactive commands on the command line. The man page says: +cmd Causes the specified cmd to be executed each time a new file is examined. For example, +G causes less to initially display each file starting at the end rather than the beginning. and indeed e.g. "less -nUEX +F" works as desired.
Reading log is just one example that termainal control sequence exposure. It's diffcult to remember do everything with | less. Untrusted text output is hidden everywhere unexpectedly. 1. If for some reason, you need to run untrusted code. No matter you use what kind of container, sandbox, VM, or even dedicated physical machine, you probably still use terminal to interact with it. 2. Even with trusted code, I have verified following mentioned programs would output terminal control code as-is unescaped. (on ubuntu) a. If you need to deal with untrusted data using trusted programs. - use gcc to compile untrusted code, it will show lines for warnings - git log, git diff on untrusted code. If the output is short, git won't invoke pager. - use zipnote(1) to read comments in zip file. b. If there is an untrusted user on your machine, he may create files with malicious name. $ touch $(echo -e '\e[1;33mhello\e[m\e[10000000T') - du(1) and locate(1) would output that name as-is. - If you, as root, want to check other users' crontab. "crontab -l -u user" wound not escape control code, too. - If the user can use lp(1) to send print job to printer, $ echo test | lp -t '^[[1;33mhello^[[m^[[10000000T' -H hold -t to set job name, and hold the print job. Administrator may use lpq(1) to list print job. c. I haven't tried, but I guess ping, dig, nslookup, whois, ftp, etc. may not escape output. BTW, here are summary what I found when fuzzing terminal emulaters. - libteken: assertion fail, which lead to FreeBSD kernel panic. [1][2][3] - mosh: assertion fail [4], lead to mosh-server DoS. - tmux: double free, or invalid argument to free/malloc/realloc [5] I guess there are no RCE with glibc's malloc heap protection, no sure. - screen: stack overflow[6], and many others - rxvt-unicode: out of bound read [7], and many others [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202326 [2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202540 [3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202612 [4] https://github.com/mobile-shell/mosh/issues/667 [5] https://github.com/tmux/tmux/commit/3219e0314e3d1d39a57db330faa5693ce0264244 [6] https://savannah.gnu.org/bugs/?45713 [7] http://lists.schmorp.de/pipermail/rxvt-unicode/2015q3/002155.html
Attachment:
_bin
Description:
Current thread:
- CVE request: screen stack overflow (deep recursion) Florian Weimer (Aug 31)
- Re: CVE request: screen stack overflow (deep recursion) cve-assign (Sep 02)
- AW: Re: CVE request: screen stack overflow (deep recursion) Fiedler Roman (Sep 02)
- Re: CVE request: screen stack overflow (deep recursion) Solar Designer (Sep 02)
- Re: CVE request: screen stack overflow (deep recursion) Solar Designer (Sep 03)
- Re: CVE request: screen stack overflow (deep recursion) Kuang-che Wu (Sep 03)
- AW: Re: CVE request: screen stack overflow (deep recursion) Fiedler Roman (Sep 02)
- Re: CVE request: screen stack overflow (deep recursion) cve-assign (Sep 02)