Vulnerability Development mailing list archives
Re: character injecting on linux console
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 8 Dec 2001 12:17:41 -0500 (EST)
On Sat, 8 Dec 2001, Doru Petrescu wrote:
One strange thing I found while playing with binary files on my terminal: some special sequences are able to inject characters into my terminal input buffer as if I typed them on the keyboard.
I think this issue popped up several times on BUGTRAQ few years ago... This is a pretty interesting issue, because e.g. pine used to escape such characters improperly (not sure if this is still any problem, I reported it a while ago).
So, if I press enter, the shell will complain that can't find/execute command "6c". Of cource I can just erase them, and everything will by OK. BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!?
# The System V Release 4 and XPG4 terminfo format defines ten string # capabilities for use by applications, <u0>...<u9>. In this file, we use # certain of these capabilities to describe functions which are not covered # by terminfo. The mapping is as follows: # # u9 terminal enquire string (equiv. to ANSI/ECMA-48 DA) # u8 terminal answerback description # u7 cursor position request (equiv. to VT100/ANSI/ECMA-48 DSR 6) # u6 cursor position report (equiv. to ANSI/ECMA-48 CPR) # # The terminal enquire string <u9> should elicit an answerback response # from the terminal. Common values for <u9> will be ^E (on older ASCII # terminals) or \E[c (on newer VT100/ANSI/ECMA-48-compatible terminals). # # The cursor position request (<u7>) string should elicit a cursor position # report. A typical value (for VT100 terminals) is \E[6n. # # The terminal answerback description (u8) must consist of an expected # answerback string. The string may contain the following scanf(3)-like # escapes: # # %c Accept any character # %[...] Accept any number of characters in the given set # %d format elements. The first of these must correspond to the Y coordinate # and the second to the %d. If the string contains the sequence %i, it is # taken as an instruction to decrement each value after reading it (this is # the inverse sense from the cup string). The typical CPR value is # \E[%i%d;%dR (on VT100/ANSI/ECMA-48-compatible terminals). # # These capabilities are used by tac(1m), the terminfo action checker # (distributed with ncurses 5.0).
However, untill now I was only able to inject series of "6c", and I didn't found a way to inject ENTER or something that will trigger the shell to execute the command. more researchis needed.
Well, documentation can be more helpful ;) Basically, I wouldn't call it a bug in the terminal emulation code - it is a documented feature. On the other hand, many people are not aware of it, so it happens that mail readers etc do not expand certain sequences properly. I failed to find any program that can be effectively exploited by issuing a very limited set of commands (6c, ;something, etc), but probably if you search carefully enough, you'll find something :> -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- character injecting on linux console Doru Petrescu (Dec 08)
- Re: character injecting on linux console Michael R. Rudel (Dec 08)
- Re: character injecting on linux console Michael Greenberg (Dec 08)
- Re: character injecting on linux console Michael R. Rudel (Dec 08)
- Re: character injecting on linux console Doru Petrescu (Dec 08)
- Re: character injecting on linux console Michael Greenberg (Dec 08)
- Re: character injecting on linux console Michal Zalewski (Dec 08)
- Re: character injecting on linux console Robert van der Meulen (Dec 08)
- Re: character injecting on linux console Nelson Brito (Dec 09)
- Re: character injecting on linux console Michal Zalewski (Dec 09)
- Re: character injecting on linux console Valdis . Kletnieks (Dec 10)
- Re: character injecting on linux console Michal Zalewski (Dec 10)
- Re: character injecting on linux console Michael R. Rudel (Dec 08)
- Re: character injecting on linux console Robert van der Meulen (Dec 08)
- Re: character injecting on linux console Valkai Elod (Dec 08)
- RE: character injecting on linux console DFx (Dec 08)
- RE: character injecting on linux console Dom De Vitto (Dec 09)