Vulnerability Development mailing list archives
Re: terminal weirdness?
From: Curt Wilson <netw3 () NETW3 COM>
Date: Fri, 9 Mar 2001 00:22:29 -0600
I recall a while back there was an ADM tool, a local exploit, that used escape sequences to create dangerous command lines that got passed into your shell - for instance adding passwords, + + to .rhosts, and the like that would execute with the security privs of the current user. I forget the exact mechanism but it's seems similar to what is being discussed here with the VT102 string appearing in reply to the terminal type query,and the answer being delivered to the local shell since the remote connection had closed. Perhaps this is an old tool I am thinking of that no longer works, but I was wondering if anyone has used this technique in their pen tests? Curt
The server at port 1080 didn't just close the connection; it sent a few bytes first. These happened to be a VT102 control code, asking the VT102 to report its type. The terminal dutifully put "VT102" on stdin as if typed, so that it would go to the program reading stdin. However, the telnet connection was closed by then, and the string went to your shell. I don't think it's exploitable, but I'm not sure what codes can be sent by a terminal. It would be an interesting exploit for sure. Ciao. Vincent.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3 () netw3 com 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- Re: terminal weirdness?, (continued)
- Re: terminal weirdness? Blue Boar (Mar 08)
- Re: terminal weirdness? Matt Zimmerman (Mar 08)
- Re: terminal weirdness? Crispin Cowan (Mar 09)
- Re: terminal weirdness? Allen J. Newton (Mar 09)
- Re: terminal weirdness? Ron DuFresne (Mar 10)
- Re: terminal weirdness? Allen J. Newton (Mar 11)
- Re: terminal weirdness? Matt Zimmerman (Mar 10)
- Re: terminal weirdness? Blue Boar (Mar 08)
- Re: terminal weirdness? Ron DuFresne (Mar 08)
- Re: terminal weirdness? Matt Zimmerman (Mar 08)
- Re: terminal weirdness? Curt Wilson (Mar 09)
- Re: terminal weirdness? Damian Menscher (Mar 09)
- Re: terminal weirdness? Matt Zimmerman (Mar 10)
- Re: terminal weirdness? Systems Administrator (Mar 10)
- Re: terminal weirdness? Matt Zimmerman (Mar 10)