Re: terminal emulators' processing of escape sequences

[Robert Święcki <robert () swiecki net>]

> On a slightly different note; memory corruption/abort() problems might
> end up as RCE with some effort, but what *is* RCE is ability to push
> back characters into terminal's input buffer. There are some
> well-known vectors, like setting title of the current terminal and
> printing it back with ESC codes, and hopefully it's something that is
> mitigated in all modern terminal emulator software packages for many
> years now.
>
> But, it's not something that can be discovered simply by waiting for
> SEGV and similar signals. Hence, I'd like to encourage everyone
> looking for bugs in terminal emulators to add some form of
> instrumentation to their fuzz setups aimed at finding such problems
> too.
>
> A harmless example from rxvt - pushing back the new-line character:
>
> $ echo -ne "\eGQ;"
> ;$ 0
> bash: 0: command not found

For those interested in high-speed terminal emulator fuzzing
(typically 300k-700k inputs/sec on a modern i7-6600K), I prepared a
short step-by-step guide:

https://github.com/google/honggfuzz/tree/master/examples/terminal-emulators

-- 
Robert Święcki