Vulnerability Development mailing list archives
Re: character injecting on linux console
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sun, 9 Dec 2001 21:21:33 -0500 (EST)
On Sun, 9 Dec 2001 Valdis.Kletnieks () vt edu wrote:
I can't *prove* it, but I know the first time I heard of "something fails to filter ANSI/vt100 control chars" was at my previous employer, which means it dates back to at least May 89. /.../ So we've reached the point in computing history where we have younger readers of this list hearing about bugs that were *first* found before the readers were even born.
Well... We are talking about a specific problem with vt100/ansi-compatible terminal emulation on e.g. Linux. This problem does not affect many other implementations, and is rather simple: \x9b character works the same way as \x1b[, a sequence used, among others, for answerback commands. So, first of all, this is not necessarily the same problem as failure to escape \x1b - this is a new vector of exploiting, and many, many CLI programmers do not realize they should filter it (another problem is that, IIRC, \x9b is used in some valid, non-english codepages, so it is not always fine to simply drop it). And this problem is not extactly the same as, let's say, macro capabilities in some ANSI implementations - a issue known for long years. I think this \x9b issue started to pop up just few years ago, and is still not handled properly in many cases. And finally, I believe that majority of network-based applications still have conditions that allow dumping not escaped data coming from the net to the console, no matter if it is \x1b, \x9b or anything else. Even if applications like ls or ps learned to escape certain characters, we still need to have many programs fixed (Sendmail's mailq, ssh, telnet, nc, many other come to mind). Thus I do not consider stating "this kind of bugs is known for two decades" any good - after all, buffer overflows are known for a longer while, but it does not mean they do not happen, we shouldn't bother reporting new ones, or dismiss new cases ;) Furthermore, noone really investigaed if 'answerback' codes or other control commands on Linux-alike implementations can be successfully exploited to do any harm, so this discussion is pretty valuable. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- character injecting on linux console Doru Petrescu (Dec 08)
- Re: character injecting on linux console Michael R. Rudel (Dec 08)
- Re: character injecting on linux console Michael Greenberg (Dec 08)
- Re: character injecting on linux console Michael R. Rudel (Dec 08)
- Re: character injecting on linux console Doru Petrescu (Dec 08)
- Re: character injecting on linux console Michael Greenberg (Dec 08)
- Re: character injecting on linux console Michal Zalewski (Dec 08)
- Re: character injecting on linux console Robert van der Meulen (Dec 08)
- Re: character injecting on linux console Nelson Brito (Dec 09)
- Re: character injecting on linux console Michal Zalewski (Dec 09)
- Re: character injecting on linux console Valdis . Kletnieks (Dec 10)
- Re: character injecting on linux console Michal Zalewski (Dec 10)
- Re: character injecting on linux console Michael R. Rudel (Dec 08)
- Re: character injecting on linux console Robert van der Meulen (Dec 08)
- Re: character injecting on linux console Valkai Elod (Dec 08)
- RE: character injecting on linux console DFx (Dec 08)
- RE: character injecting on linux console Dom De Vitto (Dec 09)