Slashdot Mirror

← Back to Stories (view on slashdot.org)

Getting Hacked Through Your Terminal

Posted by timothy on from the nothing-new-under-the-sun dept.

hdm writes "My company recently published a paper on security issues with common terminal emulator applications. The interesting thing about these vulnerabiltiies is that many of them only require the victim to be running tail on their log files (apache, syslog, etc) for the attack to be successful. The paper (TXT) can be found here."

2 of 204 comments (clear)

  1. CORRECTION to terminal emulators not susceptible by chongo · · Score: 5, Informative
    Sorry .. I made a BAD cut and paste on my original posting! SORRY!!!

    The following terminal emulators were found, according to the article, to NOT be susceptible to screen dump or window title attacks:

    • aterm: 0.42
    • konsole: 3.1.0 rc5
    • gnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
    • SecureCRT: 3.4.6
    • aterm: 0.42

    Some asked about my Perl filter for tailing log files.

    Sans typos, here is an example that removes certain types of messages and fields, checks the file every 60 seconds, picks up trailing on the new file when the log file gets rotated (moved away), trims to 224 characters and replaces unusual chars with ~'s (assuming you use ASCII).

    /usr/bin/tail --retry --follow=name --max-unchanged-stats=60 /var/www/logs/access_log |
    /usr/bin/perl -ne '
    $line = $_;
    chomp $line;
    next if $line =~ m{... some regexp you want to ignore ...};
    next if $line =~ m{... etc ...};
    $line =~ s/... some field you want to ignore ...//;
    $line =~ s/... some common phrase you want to ignore ...//;
    $line =~ s/^(.{1,224}).*$/$1/;
    $line =~ s/\t / /g;
    $line =~ s/[^ -~]/~/g;
    print "$line\n";'

    As they say in perl, there is more than one way to do it. The above code fragment is just to give you the general idea.

    --
    chongo (was here) /\oo/\
  2. Tailing logs... by Urchlay · · Score: 5, Informative

    The paper mentions injecting escape sequences into log files which are being tail -f'ed... and that there's nothing new about terminal exploits.

    When I first heard about this (a couple of years back) I started using less +F for tailing logs. less will convert the escape character into the token ESC (in bold or inverse video), avoiding any escape-sequence exploits.. and also adds the benefits of being able to scroll back and search, which would make it worth using even if there were no such thing as a terminal exploit.

    If you're going to leave it running for a long time, you might want to also look into the -b and -B options, to limit the amount of buffer space it will allocate: something like `less -b1024 -B +F /var/log/apache/common.log' would limit less to 1024K (1M) of buffer, which means old data will eventually be discarded, but keeps less from malloc'ing all your core. As always, Read The Fine Manual for details :)

    I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

    Hope this helps someone...