Re: terminal weirdness?

[Curt Wilson <netw3 () NETW3 COM>]

I recall a while back there was an ADM tool, a local exploit, that
used escape sequences to create dangerous command lines that got passed into
your shell -  for instance adding passwords, + + to .rhosts, and the like that
would execute with the security privs of the current user.

I forget the exact mechanism but it's seems similar to what is being
discussed
here with the VT102 string appearing in reply to the terminal type
query,and the
answer being delivered to the local shell since the remote connection had
closed.

Perhaps this is an old tool I am thinking of that no longer works,
but I was wondering if anyone has used this technique in their pen tests?

Curt


> The server at port 1080 didn't just close the connection; it sent a few
> bytes first.  These happened to be a VT102 control code, asking the VT102
> to report its type.  The terminal dutifully put "VT102" on stdin as if
> typed, so that it would go to the program reading stdin.  However, the
> telnet connection was closed by then, and the string went to your shell.
>
> I don't think it's exploitable, but I'm not sure what codes can be sent
> by a terminal.  It would be an interesting exploit for sure.
>
> Ciao.                                                            Vincent.



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   Netw3 Consulting  *   www.netw3.com    |
|    Internet Security, Networking, PC tech,  WWW hosting     |
| Netw3 Security Reading Room : www.netw3.com/documents.html  |
|  Serving Southern Illinois locally and the world virtually  |
|            netw3 () netw3 com     618-303-NET3                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=