oss-sec mailing list archives
Re: with firefox on X11, any page can pastejack you anytime
From: Turistu <turistu () gmail com>
Date: Fri, 20 Oct 2023 01:44:10 +0300
On Thu, Oct 19, 2023 at 04:53:55PM +0000, Jeremy Stanley wrote:
On 2023-10-19 17:04:10 +0100 (+0100), Sam Bull wrote: [...]Also a problem with shell security. If you paste something with
That's not a problem with "shell security". Paste is just a form of **trusted user input** (just as keyboard input). The bracketed-paste and other features are for convenience, they're not supposed to help against a rogue X11 app (who could just as well simulate keyboard input with the XTest X11 extension instead of complicating itself with setting up selections that the user has to paste).
line breaks into bash, it executes them. If you paste the same into fish, it doesn't (it'll display the multi-line input and expect you to hit the enter key to execute it as a command).That observation may be outdated. At least my bash 5.2.15 on Debian does not execute pasted newlines, it treats it as a multi-line command and waits for an actual enter keypress
Indeed, as already described in my report. Bracketed-paste is the default in bash on all recent systems.
(tested inside a few different terminal emulators including vanilla xterm, so pretty sure it's not being mitigated at that layer).
It pretty much **is** mitigated at that layer. If xterm itself weren't filtering out the ESC (ascii 0x1b) character in the pasted data, then the bracketed-paste feature of bash or zsh could've been easily bypassed by inserting a "\x1b[201~" escape (= end of pasted data) in the payload. (As already mentioned in the report too). Anyways, the examples were meant just as ... examples, as like for illustration. I've just chosen them because they were the simplest and cutest. But there are a thousand more ways for an attacker to leverage that hole in Firefox. Many programs (including Firefox itself!) could be easily crashed by garbage data from the clipboard. Attacker-controlled data could find its way into shell scripts via `var=$(xsel)`, etc.
Current thread:
- Re: with firefox on X11, any page can pastejack you anytime, (continued)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Jan Engelhardt (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeremy Stanley (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27 (Oct 20)
- Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime niekt0 (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Solar Designer (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 20)