Re: character injecting on linux console

["Michael R. Rudel" <mrr () thud pcs k12 mi us>]

[mrr@thud]
[~]-> uname -a
FreeBSD thud.pcs.k12.mi.us 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri Jul 27
15:31:11 EDT 2001     mrr () thud pcs k12 mi us:/usr/src/sys/compile/thud
i386
[mrr@thud]
[~]-> perl -e 'print "\x9E\x9bc"'
[mrr@thud]
[~]-> 62;1;2;6;7;8;9c


The shell on the FreeBSD machine is 2.04.0(1). The results are the same no
matter what I change my terminal type to.

Results are the exact same with vt220 on a Linux 2.4.14 using bash 1.4.7.
Ditto for the results being the same when the terminal type is changed.

Results are also the same even if I change shells. However, 'sh' on the
FreeBSD machines appends '^[[?' to the string. tcsh, csh, zsh all return
the same, though.


Michael R. Rudel * mrr () gotclue org * 734.417.4859 * www.gotclue.org
Technician, Pinckney Community Schools * mrr () pcs k12 mi us
Principal Engineer, Michael R. Rudel Consulting * mrr () mrrconsulting net

On Sat, 8 Dec 2001, Doru Petrescu wrote:

> Hi everybody,
>
> One strange thing I found while playing with binary files on my terminal:
> some special sequences are able to inject characters into my terminal
> input buffer as if I typed them on the keyboard.
>
> on my linux (v2.4.5) TEXT console ($TERM=linux), if I execute:
>   perl -e 'print "\x9E\x9bc"'
>
> when the shell returns back to my prompt I will find 2 characters in the
> command line as I typed them!!! the two of them are: "6c"
>
> So, if I press enter, the shell will complain that can't find/execute
> command "6c". Of cource I can just erase them, and everything will by OK.
>
> BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!?
>
> Imagine this: You receive an email, you open it with your favourite text
> mail reader (mail/pine/mutt/etc). the mail contains some unpleasent binary
> garbage that when the mail program output them to the terminal will
> trigger something and will INJECT characters into your terminal
> input buffer, and by doing so INJECTING commands as if YOU typed them
> from the keyboard. this means that someone could take over your terminal
> !!! hijacking your shell prompt !!!
>
>
> However, untill now I was only able to inject series of "6c", and I didn't
> found a way to inject ENTER or something that will trigger the shell to
> execute the command. more researchis needed.
> Also this only work on LINUX text CONSOLE. not on Xterm, or something else.
>
> 1. Can you guys check if this works on your systems as well ?
> just execute this cmd: perl -e 'print "\x9E\x9bc"'
>
> 2. Can someone explain to me what is happening ?
> is this a bug in the kernel code that handles terminal output ? can we
> make it do something else ? (like overwriting memory, etc ...)
>
>
> Best regards,
> ------
> Doru Petrescu
> KappaNet - Senior Software Engineer
> E-mail: pdoru () kappa ro              LINUX - the choice of the GNU generation