Re: character injecting on linux console

[Michal Zalewski <lcamtuf () coredump cx>]

On Sat, 8 Dec 2001, Doru Petrescu wrote:

> One strange thing I found while playing with binary files on my
> terminal: some special sequences are able to inject characters into my
> terminal input buffer as if I typed them on the keyboard.

I think this issue popped up several times on BUGTRAQ few years ago...
This is a pretty interesting issue, because e.g. pine used to escape such
characters improperly (not sure if this is still any problem, I reported
it a while ago).

> So, if I press enter, the shell will complain that can't find/execute
> command "6c". Of cource I can just erase them, and everything will by
> OK.
>
> BUT, THE IDEA IS: WHY IS THIS HAPPENING ?!?!?

# The System V Release 4 and XPG4 terminfo format defines ten string
# capabilities for use by applications, <u0>...<u9>.   In this file, we use
# certain of these capabilities to describe functions which are not covered
# by terminfo.  The mapping is as follows:
#
#       u9      terminal enquire string (equiv. to ANSI/ECMA-48 DA)
#       u8      terminal answerback description
#       u7      cursor position request (equiv. to VT100/ANSI/ECMA-48 DSR 6)
#       u6      cursor position report (equiv. to ANSI/ECMA-48 CPR)
#
# The terminal enquire string <u9> should elicit an answerback response
# from the terminal.  Common values for <u9> will be ^E (on older ASCII
# terminals) or \E[c (on newer VT100/ANSI/ECMA-48-compatible terminals).
# 
# The cursor position request (<u7>) string should elicit a cursor position
# report.  A typical value (for VT100 terminals) is \E[6n.
#
# The terminal answerback description (u8) must consist of an expected
# answerback string.  The string may contain the following scanf(3)-like
# escapes:
#
#       %c      Accept any character
#       %[...]  Accept any number of characters in the given set
# %d format elements.  The first of these must correspond to the Y coordinate
# and the second to the %d.  If the string contains the sequence %i, it is
# taken as an instruction to decrement each value after reading it (this is
# the inverse sense from the cup string).  The typical CPR value is
# \E[%i%d;%dR (on VT100/ANSI/ECMA-48-compatible terminals).
#
# These capabilities are used by tac(1m), the terminfo action checker
# (distributed with ncurses 5.0).

> However, untill now I was only able to inject series of "6c", and I didn't
> found a way to inject ENTER or something that will trigger the shell to
> execute the command. more researchis needed.

Well, documentation can be more helpful ;) Basically, I wouldn't call it a
bug in the terminal emulation code - it is a documented feature. On the
other hand, many people are not aware of it, so it happens that mail
readers etc do not expand certain sequences properly. I failed to find any
program that can be effectively exploited by issuing a very limited set of
commands (6c, ;something, etc), but probably if you search carefully
enough, you'll find something :>

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/