Slashdot Mirror

← Back to Stories (view on slashdot.org)

Getting Hacked Through Your Terminal

Posted by timothy on from the nothing-new-under-the-sun dept.

hdm writes "My company recently published a paper on security issues with common terminal emulator applications. The interesting thing about these vulnerabiltiies is that many of them only require the victim to be running tail on their log files (apache, syslog, etc) for the attack to be successful. The paper (TXT) can be found here."

118 of 204 comments (clear)

  1. Most exploits by $$$exy+Gwen+Stefani · · Score: 1, Interesting

    Most exploits that existed over 5 yrs ago are still valid.

    For instance, you can recover a root password in just 10-15 minutes on ANY machine.

    --

    31 people regularly point & click my G-spot
    1. Re:Most exploits by Anonymous Coward · · Score: 2, Insightful
      But exploits that require physical access to the machine don't really mean much to anyone truly interested in security.

      ~~~

    2. Re:Most exploits by kasperd · · Score: 3, Insightful

      For instance, you can recover a root password in just 10-15 minutes on ANY machine.

      You shouldn't make such claims without any evidence.

      --

      Do you care about the security of your wireless mouse?
    3. Re:Most exploits by kesuki · · Score: 1

      If you have physical access to a machine then yes, root password recovery takes 10-15 minutes. I seriously doubt it takes that little time to do it remotely, however.

      --
      https://www.gnu.org/philosophy/free-sw.html
    4. Re:Most exploits by 42forty-two42 · · Score: 3, Informative
      Here's how to do it on linux:
      • Reboot the computer, somehow.
      • Append 'init=/bin/sh' to the kernel command line at boot, then resume the boot. You will be dropped to a root shell.
      • mount -t proc proc /proc
      • mount -o remount,rw -t (root fs type) (root fs device) /
      • passwd
      • Enter the new password
      • mount -o remount,ro -t (root fs type) (root fs device) /
      • umount /proc
      • exec /sbin/init
      • The system will resume its boot. The root password will have been changed.
    5. Re:Most exploits by FyRE666 · · Score: 1

      As far as I'm aware you can't recover the root password in any reasonable timespan (unless it's badly chosen, or you have a few Earth Simulators handy). You can however change it in a couple of minutes if you have physical access to the machine (reboot to single user, mount fs, passwd). Hardly stealthy though...

      --
      Code, Hardware, stuff like that.
    6. Re:Most exploits by H3lm3t · · Score: 1

      Append 'init=/bin/sh' to the kernel command line at boot, then resume the boot. You will be dropped to a root shell.

      Strange, I've always been told that one should put something in /etc/lilo.conf to prevent that ;)

      password=foobar

    7. Re:Most exploits by dotgain · · Score: 1
      Whoo gee, didn't know that!

      To think I've thrown out four linux servers and a Sun E450 because I'd forgotten the root passwd on all of them, and thought I'd never be able to get in!!

      Some exploit! It's been in the HOWTO's since year dot, yet still nobody has fixed this "vulnerability".

    8. Re:Most exploits by kasperd · · Score: 2, Interesting
      If you have physical access to a machine then yes, root password recovery takes 10-15 minutes.

      There are lots of things you can easilly do with physical access to the computer, but finding the root password is not one of them. Unless something has been done to prevent it, I can bypass the root password in less than five minutes. Either pass an init argument to the kernel or boot from external media. Once the root password has been bypassed it can easilly be changed if I would want to.

      Preventing boot from external media and boot arguments will slow down the process, and of course BIOS and bootloader must be password protected. But I can get a long way with a screwdriver unless the harddisk has been encrypted.

      In case you want to prove your claim, please tell me what my root password is. Here is the line from my /etc/shadow file:
      root:$1$3pzDB2kQ$5ZUFiFyOXsLUQ1/Ad9G7y1:12103:0:99 999:7:::
      --

      Do you care about the security of your wireless mouse?
    9. Re:Most exploits by kasperd · · Score: 1

      mount -o remount,rw -t (root fs type) (root fs device) /

      Why make it so complicated? I'd just have typed: mount -o remount,rw /. And I don't think you need /proc to change the root password.

      --

      Do you care about the security of your wireless mouse?
    10. Re:Most exploits by Anonymous Coward · · Score: 1, Funny

      BOSCO!

    11. Re:Most exploits by plugger · · Score: 1

      Not quite that easy, at least on Debian:

      Type root password for single-user access, or press CTRL-D for normal startup.

      That isn't an exact quote, but the gist is correct. A CMOS reset and boot media would defeat this, though.

    12. Re:Most exploits by kesuki · · Score: 1

      Well, when I said password recovery, what I meant is what I did the last time I forgot my root password on my laptop. I went in with a boot floppy and copy/pasted the admin password (which I still knew) over the root password. This is what normal people asssociate with password recovery, since only an insecure system (like IRC services) will tell you the 'old' password.
      That being said, there Are tools that take an /etc/shadow file and spew out the password, they take a lot longer than 15 minutes to do so though.
      I will tell you why that password can be broken. The key used to crypt the password is itself. There is a limit to the types of characters, and the number that can be used in a unix password. a bruteforce decryptor can be built that will try every possible combination, starting with the most likely root passwords, and essentially it's just a matter of waiting for the program to find the only string that decrypts the encrypted string to itself.
      I don't have the patience nor the desire to run your shadow entry through a brute force decryptor... but the reason the shadow file exists is because on shell machines there are people with the patience and the desire to run those shadow entries through a brute force decryptor. Even if it takes them a week to get the password because the system had a relatively secure password.

      --
      https://www.gnu.org/philosophy/free-sw.html
    13. Re:Most exploits by joto · · Score: 2, Insightful
      Well, uhmm...

      This is a nice touch, but remember that it's only security by obscurity. If you have physical access to the machine, you can just as well boot from a floppy, or remove the harddisk and put it into some other computer booting from another disk.

      Not that it isn't useful, though. Most sysadmins do give their users physical access to their desktop (or laptop) computers. But then the users are, at least to some degree, trusted...

    14. Re:Most exploits by dwayrynen · · Score: 1

      even easier just append append rw to the end of the init=/bin/init command...

      Darin

    15. Re:Most exploits by kasperd · · Score: 1

      copy/pasted the admin password over the root password.
      I don't know what system you are talking about, but my system surely doesn't have any kind of admin password, only a root password here.

      This is what normal people asssociate with password recovery
      Oh yeah? I don't see a logical reason why anybody would think password recovery would mean anything else than finding out what the password is.

      There is a limit to the types of characters, and the number that can be used in a unix password.
      Sure with systems still using DES based passwords there might be an issue. But with MD5 based passwords, this is not really a problem.

      most likely root passwords
      I take 16 chars from /dev/urandom, what password is the most likely then?

      --

      Do you care about the security of your wireless mouse?
    16. Re:Most exploits by jo42 · · Score: 1

      "bEnDoVeRtAkEiTlIkEaMaN!"

    17. Re:Most exploits by kasperd · · Score: 1

      "bEnDoVeRtAkEiTlIkEaMaN!"

      That is not my password.

      --

      Do you care about the security of your wireless mouse?
    18. Re:Most exploits by kesuki · · Score: 1

      As a security measure only privaledged users are allowed to su to root. I always set up a system with an admin account that has the privaledge to su to root.

      I don't see a single reason to logically define 'password recovery' as something so narrow as 'revealing the old password.' Afterall, replacing the old password with a new password is 'recovery' just as much as telling you what the old password was. Since you've still 'recovered' access to the account.

      Haven't you even seen the movie hackers? The one thing they got right in that movie was the top three most commonly used passwords. I was merely pointing out that idealy a bute force decryptor would check those unsecure passwords first.

      --
      https://www.gnu.org/philosophy/free-sw.html
    19. Re:Most exploits by kasperd · · Score: 1

      Haven't you even seen the movie hackers?

      Yes.

      The one thing they got right in that movie was the top three most commonly used passwords.

      They didn't get much right. And I'm not so sure about that part with the passwords. Personally I'd never use such insecure passwords.

      --

      Do you care about the security of your wireless mouse?
    20. Re:Most exploits by kesuki · · Score: 1

      Personally I'd never use such insecure passwords.
      you, me and the rest of slashdot, but what about your boss? (you know, the one who thinks Linux is some kid who plays the piano and is in love with lucy)
      You might as well use a list of baby names for the average joe six-packs passwords, because they make them something they can't forget, like their kids name.
      Most commonly used password. Secure passwords aren't common, by definition. Remember who 'god' (user) was? it was the chick that worked at that place. It wasn't the sysadmin, it was someone high up in the compnay who was braindead about security issues. Now, If they didn't get that part right I don't know what part of the movie they could have gotten right.

      --
      https://www.gnu.org/philosophy/free-sw.html
    21. Re:Most exploits by kasperd · · Score: 1

      If I knew the Exact time your system last booted, and the Exact time you generated the password

      You are wrong. The kernel uses a 4096bit seed, and it combines random input from different sources including the timing of keyboard and mouse input. And the seed is saved at system shutdown and restored during boot. In total this means you need to know the exact keypresses and mouse movements I made in the two years passing from when I installed the system and until I generated the password. My password is truly random.

      --

      Do you care about the security of your wireless mouse?
  2. strings by siliconshock.com · · Score: 3, Informative

    just pipe your stuff through strings. it should help a bit

    1. Re:strings by irving47 · · Score: 1

      Nah. Someone will release a hack where you point a laser at it and decode the data passing through by the light bouncing off the string. Like getting the data through the LED's on a modem bank or switch

      --
      I had a sucky sig.
    2. Re:strings by siliconshock.com · · Score: 1

      eh no... the strings command.

  3. A simple solution by Giant+Ape+Skeleton · · Score: 4, Funny

    Given the profliferation of exploits related to race conditions, predictible file creation, etc,
    we should henceforth re-tool our code to only make use of stateless protocols!
    ;-)

    --
    The difference between stupidity and genius is that genius has its limits.
    1. Re:A simple solution by Anonymous Coward · · Score: 1, Funny

      You mean like HTTP?
      No-one was ever attacked through port 80.

    2. Re:A simple solution by WNight · · Score: 1

      I know this is a joke, but it's really worth thinking about for a second.

      In a true stateless protocol people need to send a request that ammounts to "send me /etc/passwd" or "echo foo > /etc/...". You're unlikely to honor this and some simple checks can make sure you don't write to the wrong place.

      Many bugs are in the user-identification and verification routines. Web sites let you do, if you've got the right cookie, nasty things that they shouldn't let you do. Not only does your initial verification need to be secure, but your storing of cookie data in such a way as to let the user back on, with access, needs to be fairly secure. Providing state introduces many bugs you otherwise wouldn't have.

      Now, this isn't to say that everything should be stateless, but that you should think about how much time you save by letting people not enter their password at every use, versus the potential risks. Especially if you're coding the security sections yourself. Trusting .htaccess is pretty easy, Apache gets a lot of testing. Trusting your perl CGI script you coded the night before...

  4. Not all terminal emulators were susceptible by chongo · · Score: 2, Informative
    For those who might be concerned (and in case the paper is /.-ed), the tested and found that the following terminal emulators were NOT susceptible to screen dump or window title attacks:

    • xterm xf86 4.2.0 (patch 165)
    • aterm 0.42
    • rxvt 2.7.8
    • Eterm 0.9.1
    • konsole 3.1.0 rc5
    • putty 0.53
    • SecureCRT 3.4.6
    • gnome-terminal 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
    • hanterm-xf 2.0

    I always pre-filter my logs thru a Perl script. Besides removing verbose messages that are not useful, my filters replace such non-printable characters with a printable character. Not only does it make it easier to spot strange octets on the screen, it does not depend on the terminal emulator remaining secure.

    --
    chongo (was here) /\oo/\
    1. Re:Not all terminal emulators were susceptible by Kludge · · Score: 1

      What about my DEC VT240?

    2. Re:Not all terminal emulators were susceptible by CableModemSniper · · Score: 1

      This smells like a troll. The article said Eterm 0.9.1 and hanterm both were vurnerable iirc. It also said Eterm 0.9.2 had improved in the area, but that it should be given an award for being the most vulernerable. I'm kinda scared to use Eterm now.

      --
      Why not fork?
    3. Re:Not all terminal emulators were susceptible by ibennetch · · Score: 1

      odd, it works for me in 0.53b

    4. Re:Not all terminal emulators were susceptible by Moses+Lawn · · Score: 2, Informative
      Funny, I just did that and it worked fine (putty 0.52). Didja type it right?


      The article did mention that Putty was not really susceptible to screen dump attacks, because



      Although putty would place the title onto the command-line, we were not able to find a method of hiding the command, since neither the "invisible" character attribute nor the foreground color could be set. Putty has a relatively low limit to the number of characters that can be placed into the window title, so it is not possible to simply flood the screen with garbage and hope the command rolls past the current view.


      This doesn't mean putty is "secure", but it's not as insecure as some others. The baddies seem to be eterm and rxvt. There's a nice description of a compromise scenario via eterm at the bottom of the article.

      --

      What if life is just a side effect of some other process and God has no idea we exist?

    5. Re:Not all terminal emulators were susceptible by Moses+Lawn · · Score: 1

      You might need to set TERM to 'xterm'. I'm on w2k, btw, but I doubt it matters.

      Putty is very cool, but I wish it's scrollback features were more -- robust.

      --

      What if life is just a side effect of some other process and God has no idea we exist?

    6. Re:Not all terminal emulators were susceptible by KainX · · Score: 1

      If you'll read the follow-up conversation on BUGTRAQ (link posted above), you'll note that Eterm 0.9.2 is NOT vulnerable to the screen dump problem. I was also unable to create a scenario where the title bug could be exploited in such a way as to hide the command line that was imbedded in there, so the user would have to blindly hit Enter with a complete command line for the exploit sitting there. Only a severely ignorant user would do that.

      You should also read about *why* Mr. Moore gave Eterm the "most vulnerable" award. The only reason he gave which hasn't been fixed for almost 2 years now was the quality and thoroughness of my documentation. :-)

      --
      Michael Jennings | HPC Systems Engineer, Lawrence Berkeley National Lab | Author, Eterm (eterm.org)
    7. Re:Not all terminal emulators were susceptible by maquaro · · Score: 1

      Yeah what about my DEC VT320.... :)

      --
      What I am I once was. What I now become I long to be. Life is a journey not a destination.
    8. Re:Not all terminal emulators were susceptible by KainX · · Score: 3, Informative

      The baddies seem to be eterm and rxvt. There's a nice description of a compromise scenario via eterm at the bottom of the article.

      Please note that the "case study" provided was contrived at best and damagingly inaccurate at worst. No official release of Eterm EVER could be used in the way they describe. Only people following CVS Eterm would ever have been open to such an attack, and those people would have updated to a fixed version almost 2 years ago.

      The case study is intended to illustrate a "Worst Case Scenario" type situation, not be any sort of realistic portrayal of actual events.

      --
      Michael Jennings | HPC Systems Engineer, Lawrence Berkeley National Lab | Author, Eterm (eterm.org)
    9. Re:Not all terminal emulators were susceptible by CableModemSniper · · Score: 1

      oops. It figures, I post something derogatory about Eterm (which i love btw, thanks) and end up getting chewed out by the author. I wonder if this will get me bragging rights somewhere? :)

      --
      Why not fork?
    10. Re:Not all terminal emulators were susceptible by KainX · · Score: 1

      Didn't intend to chew anyone out; I apologize if it seemed that way. I just don't want people to be afraid to run Eterm because of the somewhat-outdated information (which Mr. Moore himself acknowledged) in the report. Just trying to make sure that the information out there is complete and accurate, that's all. :-)

      --
      Michael Jennings | HPC Systems Engineer, Lawrence Berkeley National Lab | Author, Eterm (eterm.org)
    11. Re:Not all terminal emulators were susceptible by AstroJetson · · Score: 1

      That's good to know. Yours is the best terminal emulator I've tried. I would hate life if I had to use anything but Eterm.

      --
      Admit nothing, deny everything and make counter-accusations.
    12. Re:Not all terminal emulators were susceptible by 42forty-two42 · · Score: 1

      I'm using konsole 1.2 in kde 3.1, is that affected?

    13. Re:Not all terminal emulators were susceptible by jaltman · · Score: 1

      Kermit 95 from Columbia University is not vulnerable either.

    14. Re:Not all terminal emulators were susceptible by CableModemSniper · · Score: 1

      No, I was kinda exaggerating. Frankly I thought it was kind of cool, in my adolecscent way. Kind of like "Dude! The guy who wrote Eterm, was all like 'your wrong!' on slashdot to me!". Heh. Don't mind me, I might just be nuts.

      --
      Why not fork?
    15. Re:Not all terminal emulators were susceptible by muletool · · Score: 1

      Is that a terminal and not an emulator

      --
      Can I bum you a .sig?
  5. "Fictitious Case Study" by Jack+Porter · · Score: 1

    OK, so the exploit descriptions seem real and interesting enough, but what was the point of such an over-the-top
    "Fictitious Case Study"?

    Reading that drivel about Andre and his l33t hax0r buddies totally removed the credibility the rest of the article had achieved!

    1. Re:"Fictitious Case Study" by drinkypoo · · Score: 2, Interesting

      The idea is probably to give a scenario so those weak on imagination have something to use to show their boss to explain why they should spend time on this issue.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:"Fictitious Case Study" by deek · · Score: 1

      Actually, I found the fictitious case study good because it highlights a practical scenario in which the escape codes were used to hack into another machine. It was relatively believable, except possibly for the convenient set of circumstances in which the hacker discovered information on remote computers.

      I definitely thought it was a good addition to the report, though.

      dave

  6. Re:TXT? by chrisseaton · · Score: 1

    People would know what I mean't if I wrote in l33t, but it would be a stupid thing to do.

  7. Re:TXT? by thebatlab · · Score: 1

    So if it was in HTML the link should have been "the paper (HyperText Markup Language)..."?

    Come on, is it that big of a deal really?

  8. Re:In case of slashdotting... by Hanji · · Score: 1, Insightful

    It's a text file on what appears to be a decent server, not some Joe Q. User's geocities account, discussing a topic of relatively low interest to most people.

    In other words, it's not going to get slashdotted, so stop karma whoring.

    --
    A Minesweeper clone that doesn't suck
  9. Reinventing by Sarcazmo · · Score: 5, Funny

    So they discovered ANSI bombs over again.

    Simple! Just tell Linux not to load ANSI.SYS, problem solved!

    1. Re:Reinventing by xchino · · Score: 2, Funny

      Those were fun... remapping all keys to delete fun files, and then mapping the backspace key as enter :)

      Worked quite often...

      --
      Everyone is entitled to their own opinion. It's just that yours is stupid.
    2. Re:Reinventing by thogard · · Score: 1

      Yep, the new security guys love to refind whats already out there. In this case, most likly out there in google groups' archive.

      One thing they forgot about was the enter key mapping which can be loads of fun as well as the function key mapping. Most of the v100ish things will allow you to reprogram the enter key to any 4 character sequence (4 nulls is fun) but many of the people who copied the spec, didn't bother with the 4 character limit.

  10. Talk is cheap. by FreeLinux · · Score: 2, Funny

    Another day, another vulnerability. These exploits are getting more bizzare and more useless every day. The risk factor here is ridiculously low.

    I don't want to here about anymore useless exploits or no risk vulnerabilities. If you really want my window title, I'll telll you what it is; Getting Hacked Through Your Terminal - Konqueror

    Now, when someone gets an exploit to replace the Slashdot ads with Goatse, then I'll be impressed.

    1. Re:Talk is cheap. by kasperd · · Score: 1

      If you really want my window title

      You got it all wrong. Nobody wants to know what your window title is. However somebody wants to decide what your window title is going to become, and later they are going to have your shell execute that as if it were a command.

      --

      Do you care about the security of your wireless mouse?
    2. Re:Talk is cheap. by dhammabum · · Score: 1

      This is hardly useless or risk-free. It would be quite easy to create a worm to pump arbitrary escape/binary code into syslogs and apache error logs around the world.

      If you had read the article the author gave quite a convincing hack sequence.

      --
      I am not a robot. I am a unicorn.
    3. Re:Talk is cheap. by bumby · · Score: 1

      >I don't want to here about anymore useless exploits or no risk vulnerabilities. If you really want my window title, I'll telll you what it is; Getting Hacked Through Your Terminal - Konqueror

      Aha, he's running Konqueror, hence kde *searches for kde-exploits on scriptkiddieheaven.com*

      Mohahaha *rubbing his hands with a evil grin on his lips*

      --
      Hey! That's my sig you're smoking there!
    4. Re:Talk is cheap. by KainX · · Score: 1

      Convincing, perhaps, but also misleading. Please see my comments here: http://slashdot.org/comments.pl?sid=55578&cid=5415 971

      --
      Michael Jennings | HPC Systems Engineer, Lawrence Berkeley National Lab | Author, Eterm (eterm.org)
    5. Re:Talk is cheap. by dotgain · · Score: 1
      Ah, matey I think, for your own good you should RTFA. After you do, you'll be enlightened and may even realise your system is vulnerable! Anyway, for a sneak peek, the exercise is not finding out your window title, quite the opposite. It's about exploiting your terminal to change the title, then use another exploit to copy the title to your command buffer. What I'm doing here might be called Karma whoring, so I'll leave the rest to your imagination and again encourage you to read up.

      Oh, and I don't believe this has been said today yet: All your 25th line are belong to us!

  11. Fuzzy memory by maelstrom · · Score: 3, Interesting
    Been a long time, but I seem to recall that many popular bulletin board systems used special ANSI characters as control codes in the menus and such. The purpose was to allow the sysop the ability to dynamically add the current date, or who was online, etc. Basically server side includes for the BBS.


    However, certan software would allow an attacker to insert these control codes anywhere, and not just interpret them from the menus.


    Imagine the hilarity that insues once the attacker figures out the embed sequence for the drop to DOS feature. :)

    --
    The more you know, the less you understand.
    1. Re:Fuzzy memory by zztzed · · Score: 2, Informative

      Wow, your memory really is fuzzy... either that or you used incredibly badly-written BBS software.

      No BBS program I ever used (most of my experience is with TriBBS and RemoteAccess, but I also dabbled with Renegade and various Renegade-alikes) would parse the dynamic-content codes outside of files that would actually be displayed by the BBS. My memory's a bit fuzzy as well, so there might have been a few exceptions that I don't explicitly recall, such as allowing users with high enough access levels (e.g., sysops) to use them in messages, or allowing them in certain message bases, but under normal circumstances no one but the sysop would be allowed to use them and even then only in very limited circumstances.

      Similarly, no BBS program I ever used had a "drop to DOS" sequence that could be embedded in a display file. Of course there was a menu command that would do it, but a) menus and the ANSI files displayed when users accessed them were always separate and b) the drop to DOS command would have to be explicitly defined in whatever menu for anyone to actually use it, and only insane sysops would allow a regular user access to it.

    2. Re:Fuzzy memory by maelstrom · · Score: 2, Informative
      Could be, most of my experience as a Sysop was with RemoteAccess 2.02, Frontdoor 2.12, and various Renegade and WWIV boards.

      And yes, it would be incredibly poor programming practice to have a code path that would allow a user to exploit this. But, consider that many boards had some kind of dynamic headers which would display on top of the regular menus or message boards.

      So it could have been possible such that a user could embed a sequence in a forum message and then upon display the stupid software loads the header from disk, appends the part it has to display and then parses it for command sequences and finally displays it.

      Perhaps I'm only remembering somone claiming this was possible, I never tried to exploit any BBS, I was on the other side trying to keep myself up to date so these things couldn't happen to me. Either way, it was a blast being a Sysop and its good to see I'm not the only one on Slashdot that got a start there :)

      --
      The more you know, the less you understand.
  12. This isn't a big problem. by Dthoma · · Score: 3, Funny

    Someone has to be using a terminal for someone to be able to do this to them. Is it just me, or is the solution really obvious? Just chmod every thing with a command line to 000! That should keep those naughty, naughty crackers out!

    --

    Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".

  13. Mac OSX by fafaforza · · Score: 2, Interesting

    Apparently the OSX terminal might be susceptible to this. It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

    It would be interesting to see whether actual commands can be executed if tailing /var/log/messages, but I won't be the one to find out as my PowerBook is in the shop...

    1. Re:Mac OSX by scrod · · Score: 3, Interesting

      The OS X Terminal doesn't seem to be vulnerable. I just tried it.

    2. Re:Mac OSX by Waffle+Iron · · Score: 4, Funny
      It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

      The bad news: Evil black hat hackers can use remote exploits to move the OSX terminal around the screen.

      The good news: With the velvet smooth animated motion, harmonizing colors, translucent effects and drop shadows, being 0wned has never looked better!

  14. BBS ANSI Bombs by Leeji · · Score: 5, Interesting

    Back in the day, "Ansi Bombs" were considered an art form. With the art scene so active, you could usually embed some evil escape string in a good looking graphic and know that you were going to get people.

    The problem was DOS' overly-powerful ANSI.SYS interpreter. It let you remap any key to an arbitrary set of keys, making keyboard macros pretty easy. However, it also let evildoers remap "Space" to, for example, "del *.*, enter, y, enter." Luckily, there were third party ANSI interpreters that didn't suffer this vulnerability.

    One time, when I was about to reformat my HD, I even wrote an ANSI bomb to do it. Crazy stuff. There's an interesting (and of course, old) paper about it here.

    --
    It all goes downhill from first post ...
    1. Re:BBS ANSI Bombs by rjamestaylor · · Score: 2, Informative

      Speaking of the BBS days, when using my Mac Classic and the terminal software of the day (the name of which I forget) whenever the string
      NO CARRIER+++ was displayed beginning in position 0 (left to right) the modem connection dropped. I made the mistake of sharing this newfound knowledge with my friends who proceeded to disconnect me at every possible opportunity. Of course, today I could have them arrested under the anti-terrorism laws for their purposeful denial of service attack. Hmmm...is the law retroactive??

      --
      -- @rjamestaylor on Ello
    2. Re:BBS ANSI Bombs by MikeFM · · Score: 1

      I remember users of my BBS and MUD's that'd do that to each other. None of the term programs I used was ever affected but it was pretty sloppy coding not to think of people doing that. On the other hand you rarely see much done with term programs these days. Back then you'd frequently create fairly impressive interactive programs. It's just not something you see much any more. My favorite was when RIPTerm came out. I actually had some RIPTerm-based websites that'd only work if you were using a text-based web browser (like Lynx) and the RIPTerm client. Was sort of fun and predated Flash by quite some time. :)

      --
      At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
  15. PuTTy by Dark+Lord+Seth · · Score: 4, Informative
    seth@Discordia:~$ echo -e "\e]2;;echo This is to see how queer putty is\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"
    Press Enter>;
    seth@Discordia:~$ l;echo This is to see how queer putty is

    I dare to say that putty IS vulnerable. This is what happens when I run a similiar command. Sure, it still expects an enter and anyone who takes his time to read stuff on his/her screen before blatantly hitting enter will notice the command. This was done with the latest build which I just downloaded from the site.

    --
    Hate me!
    1. Re:PuTTy by julesh · · Score: 1
      Hmmm...


      vengeance:/var/spool/mail# echo -e "\e]2;;echo This is to see how queer putty is\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"
      Press Enter>;
      vengeance:/var/spool/mail#


      And that's with quite an old version (dev snapshot 2001-03-29 in fact). Maybe the vulnerability was only introduced recently?

      Just looked through the CVS logs - looks like it was introduced on Sun Nov 25 15:21:25 2001 UTC (terminal.c, revision 1.90).
  16. Uhm, no... by loucura! · · Score: 2, Informative

    If you had read the article, rather than just glancing through it... those were the terminal emulators he used.

    Eterm was affected, Putty, Xterm, and Rxvt.

    --
    Black and grey are both shades of white.
  17. Also known as the "ANSI standard trojan horse." by Ungrounded+Lightning · · Score: 4, Interesting

    So they discovered ANSI bombs over again.

    Looks like it.

    I recall the "ANSI Standard Trojan Horse" (though it was misnamed). It became quite common after ANSI standardized a cross between the VT100 and Ann Arbor Terminals escape sequences.

    Simplest form was to send a "talk" mesage to a root user containing an escape sequence that programmed a hotkey with your command-to-be-run-as-root and then "hit the key" by remote control. (You could even bury it invisibly in an otherwise innocuous-looking message.)

    ANCIENT stuff. What-early '70s?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  18. This isn't that much of a problem. by $$$$$$$$$$$exy+Goats · · Score: 1

    Most terminals released in the last few months aren't afflicted by this, particularly the most common. You have to be running a terminal to get hacked like this. You need some pretty contrived circumstances to get hacked like this; your average opportunistic script kiddie won't be able to use this trick too easily on strangers. Besides, couldn't you just set up a cron job to pipe all the logs through strings?

    --

    Lonely man seeks satisfying cock. My password is 'ha

  19. Re:TXT? by spinlocked · · Score: 4, Funny

    In my neck of the woods TXT is practically synonymous with text messaging. No, actually it's, synonymous with the delivery of TXT msg svrl hrs aftr u snt thm...

    --
    # init 5
    Connection closed.

    Oh... ...bugger.
  20. Thread by taviso · · Score: 4, Informative

    The author went on to have an interesting converstaion with Micahel Jennings, author of Eterm on Bugtraq here.

    --
    ex$$
    1. Re:Thread by Bronster · · Score: 2, Interesting

      I'm very impressed with the intelligent and humble discussion that is in that thread. They really are both trying to work out how to avoid the problem without breaking applications, rather than blamestorming or pretending it's not an issue.

      Michael Jenning's comments that he's not an expert on security, but does try his best show a real sense of humour and concern for his users.

      Ok, so I'm being a bit of a fanboy, but most links to discussions between open-source developers I see these days are the fights they have (on the very public mailing lists where we can see them). We tend to forget the good work they do the rest of the time.

      (raises hat, or would if I was wearing one) ... and glad I use konsole, at least until a bug is found there ;)

    2. Re:Thread by KainX · · Score: 2, Interesting

      Thanks. :)

      I started out my life on Unix as a sysadmin, and I always found it distasteful how software developers would get all pissed off at the people who reported the vulnerabilities, as if they were somehow to blame for the author's own screw-ups.

      The bottom line is simply that the person who wrote the code is responsible for their own mistakes. That's really where the buck stops.

      In the end, all that really matters is that things get fixed as quickly and correctly as possible for the sake of the users. Ego-sparring and public feuds accomplish nothing and are ultimately counterproductive.

      --
      Michael Jennings | HPC Systems Engineer, Lawrence Berkeley National Lab | Author, Eterm (eterm.org)
  21. CORRECTION to terminal emulators not susceptible by chongo · · Score: 5, Informative
    Sorry .. I made a BAD cut and paste on my original posting! SORRY!!!

    The following terminal emulators were found, according to the article, to NOT be susceptible to screen dump or window title attacks:

    • aterm: 0.42
    • konsole: 3.1.0 rc5
    • gnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
    • SecureCRT: 3.4.6
    • aterm: 0.42

    Some asked about my Perl filter for tailing log files.

    Sans typos, here is an example that removes certain types of messages and fields, checks the file every 60 seconds, picks up trailing on the new file when the log file gets rotated (moved away), trims to 224 characters and replaces unusual chars with ~'s (assuming you use ASCII).

    /usr/bin/tail --retry --follow=name --max-unchanged-stats=60 /var/www/logs/access_log |
    /usr/bin/perl -ne '
    $line = $_;
    chomp $line;
    next if $line =~ m{... some regexp you want to ignore ...};
    next if $line =~ m{... etc ...};
    $line =~ s/... some field you want to ignore ...//;
    $line =~ s/... some common phrase you want to ignore ...//;
    $line =~ s/^(.{1,224}).*$/$1/;
    $line =~ s/\t / /g;
    $line =~ s/[^ -~]/~/g;
    print "$line\n";'

    As they say in perl, there is more than one way to do it. The above code fragment is just to give you the general idea.

    --
    chongo (was here) /\oo/\
  22. Re:In short... by Moses+Lawn · · Score: 1
    Windows? Well, windows don't even have syslogging like this - ...

    Actually, Windows *does* have a logging feature, but, in typical Microsoft overdesigned-anal-retentive fashion, it's a pain in the ass to use. Look at "Event Viewer" in the Administrative Tools sometime. I forget the API, but you (the programmer) need to fill out some complex structures and do something-or-other unintuitive to dump a message to the log. To actually see it, you need to go through a scrolling list of messages marked "Information" and doubleclick one to see the actual text.

    I don't think anyone actually uses this, other than driver writers and those with the plugs in the backs of their heads.

    --

    What if life is just a side effect of some other process and God has no idea we exist?

  23. Tailing logs... by Urchlay · · Score: 5, Informative

    The paper mentions injecting escape sequences into log files which are being tail -f'ed... and that there's nothing new about terminal exploits.

    When I first heard about this (a couple of years back) I started using less +F for tailing logs. less will convert the escape character into the token ESC (in bold or inverse video), avoiding any escape-sequence exploits.. and also adds the benefits of being able to scroll back and search, which would make it worth using even if there were no such thing as a terminal exploit.

    If you're going to leave it running for a long time, you might want to also look into the -b and -B options, to limit the amount of buffer space it will allocate: something like `less -b1024 -B +F /var/log/apache/common.log' would limit less to 1024K (1M) of buffer, which means old data will eventually be discarded, but keeps less from malloc'ing all your core. As always, Read The Fine Manual for details :)

    I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

    Hope this helps someone...

    1. Re:Tailing logs... by Skater · · Score: 1

      Yes, it does.

      Thanks.
      --RJ

    2. Re:Tailing logs... by sfe_software · · Score: 3, Informative

      I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

      Actually that should be:

      alias more=less

      But otherwise, very helpful. I'd always been in the habit of using 'tail -f', even as root -- and personally I'll be using 'less +F' from now on.

      --
      NGWave - Fast Sound Editor for Windows
  24. Re: Can't read, can you? by Moses+Lawn · · Score: 2
    Well, the point of the article is to point out that, while the exploit has been around forever, it's still around, in new, supposedly state-of-the-art code (latest Enlightenment, etc.) It would be really nice if people understood this and took steps to make sure they were safe. It would be really nice if terminal emulator authors fixed these problems, or at least worked around them (config option to recognize escape sequences other than colors, perhaps).

    One point that stood out at me is how many apps are vulnerable because they started with an insecure codebase. This is how exploits become common - one buggy piece of code spreads to a dozen others and never gets fixed in any of them, if only because authors say "let's add our new features instead of validating these 25,000 lines of code we started with."

    --

    What if life is just a side effect of some other process and God has no idea we exist?

  25. Re: why 224 character trim? by chongo · · Score: 2, Informative
    My terminal emulator windows happen to use a font that, on my monitor, permits a window of width of 225 characters.

    By trimming down to 224 characters, I avoid line wrap. System crackers cannot cause a very long line to wrap at just the right place to fake another entry.

    Sure, I'll perhaps miss important text beyond the 225th char, but I'm willing to take that risk. Besides, the script converts tabs to a single space and removes some common fields and phrases which further cut down down on long lines. And I can always to back to the logs to look at really long lines if I want to.

    And yes, maybe some terminal emulator has some long line bug somewhere. My perl script helps avoid testing it. :-)

    --
    chongo (was here) /\oo/\
  26. Unstable xterm by kasperd · · Score: 2, Interesting

    Some years ago I managed to make an xterm dump core simply by typing the contents of a binary file, which did not contain any malicious data, it just be coincidence contained a byte sequence that would cause xterm to dump core. Investigating this I found, that some sequence of 24 bytes was responsible. But if I made the xterm window larger, it would not crash from this sequence, however it turned out the original file contained another longer sequence that could also make a larger xterm dump core. I never actually understood exactly what was going on, but I found that later xterm versions does not crash from the sequences I saved from back then.

    --

    Do you care about the security of your wireless mouse?
    1. Re:Unstable xterm by NewWazoo · · Score: 5, Interesting
      I'm feeling artistic, so I'll write.

      This, in a nutshell, is why you'll never be a Great Hacker. I'm most likely projecting my own insecurities upon you, but I'm writing and you're not, so there.

      I tend to notice little things like you noticed - that catting a binary file will crash my terminal. And then in a fit of boredom, I might even do as you've done and start trimming away sections of the file to find the offending string. I might even write a one-liner that will parse through it for me, automating what would otherwise be a tedious task. I'll eventually end up with a file that is 23 bytes long, and when catted, crashes the terminal.

      But I won't ever find out why. That file will remain a curiosity in my $HOME/misc/, to be pondered at until I find that it no longer crashes whatever terminal program I'm using. It might even remain for a while, until one day I have a directory purging session and delete it, wondering "What the hell is this?".

      And that, in my opinion, is what separates Great Hackers from the myriad of wannabes. I'm definitely a wannabe. I'm proficient at everything I do, but I'll never spend the (quite possibly small number of) hours actually finding out why that string crashes xterm, and maybe doing something useful with it. The rewards are definitely there, and I've tasted their sweetness in flashes of inspiration, but I just don't have it.

      What is it? I don't know. I don't suspect that I ever will, in this particular field. I think that I might just have it in another field (racing cars), but I think it's likely that I'll be Just Proficient at that, too, much as I have been at most everything for my whole life. And that's a pretty depressing thought.

      Great Hackers have it, I think. They must. In fact, part of me wants to disbelieve that it exists; that if I'd just push myself a little bit harder, that if I'd just concentrate a little more, that if I would simultaneously dig deeper into and maintain a broader view/mindset of whatever it is that I'm doing, that suddenly I'd become a Great Hacker. I'd know the formula of self-motivation, and from then on it'd be easy. But it just doesn't seem to work that way - I read the exploits of Great Hackers, and marvel at how they do their work, just knowing that I could never do that! Knowing that given the same set of curiosities, my interest or drive or whatever would sputter out, and at best I'd end up with something nifty, that I might be able to make use of in my next bout of Adequate Hacking.

      I'm sitting here thinking that I want to type some sort of sage-like advice to you (whoever you are) about forcing yourself to go the extra mile, or don't be lazy, or to eat your Wheaties before you start hacking. Fact is, I know that I've missed the opportunity to grab it. I also know that I've no clue what I did "wrong", and wouldn't know what to do differently, even could I go back in time and change something. I wish that I could have it, but I know that I never will.

      I'm still pretty young (19)... maybe I'll figure out how to grab it between here and there.

    2. Re:Unstable xterm by Ataeagina · · Score: 1

      Well, I'm using xterm 4.2.0. (165), and it occasionally dumps core on some binary files I try to "cat" (by accident of course). Don't ask me which files, and what they contain. I really never gave it much thought.

      --
      We're siamese children created by heart. Nothing, nothing can tear us apart.
    3. Re:Unstable xterm by josh+crawley · · Score: 1, Insightful

      >And that, in my opinion, is what separates Great Hackers from the myriad of
      >wannabes. I'm definitely a wannabe.

      No, sir. YOu are not a wannabe. Go check out usenet:alt.hacking.* and look for
      "Hotmail Hax0rz", "Warez", "Mail haxorz", "DOS", and other usual keywords
      associated to 'have-no-clue-but-must-impress-my-friends' wanabees. If you have a
      clue, you're already out of that category.

      >I'm proficient at everything I do, but I'll never spend the (quite possibly small
      >number of) hours actually finding out why that string crashes xterm, and maybe
      >doing something useful with it. The rewards are definitely there,

      The big key there is "why". That's what gives master hackers their edge. The
      thirst of knowledge hanging just above their head, waiting to be plucked. But
      how do you pluck it? Do you just rush to it, squishing it in your hands, licking
      the residue from your palm? No.. you cherish and understand it. But you don't
      give up. If that means asking for help from somebody more learned in that
      area... Anything to solve that problem.

      >and I've tasted
      >their sweetness in flashes of inspiration, but I just don't have it.

      But you've never tasted the sweetness of power sitting at a console with remote
      root, gotten accidently by noticing and exploiting a 'weird bug'?

      >What is it? I don't know. I don't suspect that I ever will, in this particular
      >field. I think that I might just have it in another field (racing cars), but I
      >think it's likely that I'll be Just Proficient at that, too, much as I have
      >been at most everything for my whole life. And that's a pretty depressing
      >thought.

      Oh, is it? Look at your skills as a stat with a library of different happenings.
      Who else here, let alone else in the world has your exact skill set and
      memories? Nobody.

      And so what, you'll be 'just proficient' in computing. That's way above the
      average. Many people have a hard time of understanding "double click" or basic
      computer terms. Put together and exploit what you do know and become an expert
      in your field of knowledge. That'll get you respect, and access to more
      information.

  27. Dear Sir, by Anonymous Coward · · Score: 1

    I have checked your journal, and there are no links to porn sites. Please rectify this immediately.

    Thank you,
    Anonymous Coward

  28. tail -f log | cat -v by e40 · · Score: 4, Informative

    will take care of the tail of a log file problem...

    1. Re:tail -f log | cat -v by Alain+Williams · · Score: 3, Informative

      An easier way is to use 'less' - which filters out nasty characters. You hit 'F' and it acts like 'tail -f' with the nice bonus that you can hit '^c' if you see something and want to and go back up the file to see how it started.

      It does help to reread the manuals occasionally.

  29. Poking fun at Enlightenment? by GrimReality · · Score: 1, Insightful

    In the article, especially in the 'Fictitious Case Study', the author makes quite a lot of snide (although funny) remarks about Enlightenment.

    By the way, I am not an Enlightenment user, so don't think that is why posted this.

    For instance...

    ...Jim has a new 2.5Ghz P4 and finally has enough processing power to run the Enlightenment window manager...

    ...or...

    ...Andre finally manages to get Eterm and its 60 megabytes [ sic] of support libraries compiled....

    Thank you.

    GrimReality
    2003-03-02 01:27:02 UTC (2003-03-01 20:27:02 EST)

    1. Re:Poking fun at Enlightenment? by KainX · · Score: 2, Insightful

      They're obvious exaggerations for the intent of being humorous. No one should take them seriously or interpret them as anything other than playful jabs.

      --
      Michael Jennings | HPC Systems Engineer, Lawrence Berkeley National Lab | Author, Eterm (eterm.org)
  30. Re:In short... by Waffle+Iron · · Score: 1
    Look at the bright side: There was a thriving aftermarket for pricey NT event log tools. It provided a lot of programmers with high paying jobs. The byzantine API ensured job security. (That market may still be thriving; I haven't been paying attention lately.)

    Similar situations existed for the registry, DCOM, performance counters, security model, etc., etc.

  31. It's not that simple. by blair1q · · Score: 1

    How many of us happen to put pictures of our terminal windows up on our websites?

    1. Re:It's not that simple. by fucksl4shd0t · · Score: 1

      How many of us happen to put pictures of our terminal windows up on our websites?

      Gee, I wonder how many desktop themes I've looked at that say "Look how great a terminal window looks in this them!". I know for a fact that MPlayerhq has terminal windows in some screenshots.

      Hm, I wonder how many of us don't put pictures of our terminal windows up on our websites? That's probly a smaller number than the one you're looking for....

      --
      Like what I said? You might like my music
  32. The more things change... 1979 version by billstewart · · Score: 4, Interesting
    "Hackers At Berkeley Find Security Hole in the Unix, a computer made by DEC". From the Oakland Tribune or some other Bay Area paper in spring 1979. Not an exact quote, but they did say the Unix was a computer made by DEC.

    A long long time ago, on a uucp-net far, far, away, we didn't use terminal emulators, we used real hardware terminals. Most of them didn't run ANSI (I don't remember if the ANSI terminal standards were defined yet, but they looked very much like a DEC VT-100 terminal), but that meant there were lots of types of terminals, all trying to achieve market differentiation by having cool features or small size or large screens or cool plastic cases. Lots of different cool features means lots of vulnerabilities. The hackers in question had REDISCOVERED AN OLD TECHNIQUE - they found ways to hand escape sequences to VT100 terminals that would get the terminal to send arbitrary text back to the computer, which in those good old command-line days meant they could do anything they wanted. All you needed to do was email somebody a message with carefully crafted character strings in it, or use the talk program to write them to their terminal (back when everybody left their ttys writeable so talk would work.) Some of the popular techniques were to abuse programmable function keys (send a sequence to put some string in F1, then another sequence to auto-trigger the F1 key), or automatic whoami-responders (VT100 had one of these), or put the terminal into loopback testing mode (letting you type anything you want.)

    The Hewlett-Packard HP2621 and its relatives had two easy things to do, which didn't let you send arbitrary characters but still hosed the user - one did a reboot on the terminal (and thereby dropped the connection), while the other put it into test pattern mode (sending a long string of UUUUUU to the computer.) There may have also been some block-mode things that let you send arbitrary characters to the computer, but these two were the easiest and best-documented. A couple years later, when I was a newbie learning Unix programming and security at Bell Labs, and Robert Morris Senior (father of RTM the Worm Author) was a department head for computer security (before he went to NSA), we'd had a discussion about some techniques I was trying (which he cracked through personally :-), and a few days later, when I'd patched those holes, I was playing rogue in the evening, and one of his people talked the test pattern sequence at me. For a few seconds, I though Umber Hulks were suddenly going to eat my character, but then realized I'd been hacked, and it was one of RTM's people following up on what I'd patched and what I hadn't...

    Terminology note on "hacker" as opposed to "cracker" or "vandal" - The folks at Berkeley really were hacking - tinkering with things to find their limits - and while they could potentially use their knowledge for evil, they instead told people about it, which reminded lots of us to check for potential security holes in our systems.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  33. The "it" by pr0ntab · · Score: 1

    The Great Hacker (later read: me) would dig up docs on VT10x escape sequence interpretation. Then I would look to see what that trimmed down file translates to in terms of screen manipulation code.

    I would think to myself, does that series of actions even make sense? It probably wouldn't (seeing as it tends to crash xterm).

    The next thing would be to trim the sequence down to just escape codes (removing any printable characters in the sequence), and see if still dumps core. If not, its probably due to a simple segfault (whether writing character or blitting a bitmapped font in an invalid buffer).

    Then try removing an escape code or chaning a parameter. Does it still dump core? Are there ranges of values for each escape code that cause the behavior?

    Finally, you'd grab the source code and see if the are any obvious flaws. Does the emulator load a parameter and then cast it into a signed value? Then does it not check to see if it was negative? etc.

    All those steps (which I've never done nor considered before your post) would be my plan to handle and investigate the situation.

    I think what it requires to be a Good Hacker, therefore, is a sick motivation to get to the bottom of things, no matter how painful or time consuming the excercise. The steps I outlined above could easily take 15 hrs. to adequately address. Are the potential results worth that time? To a great hacker, who relishes such experiences, yes they are, even if she cannot pinpoint the problem or fix it.

    There was nothing that you did wrong. I think maybe you didn't really want to be one. Great hackers do not just have fits of ingenuity and shit. They just hack at things until it becomes clear. It's time consuming, tiring, and often thankless. But over time, you get to have a certain knack for relating new problems to old ones, and it becomes easier.

    Nothing says you can't start now either. Go for it!

    --
    Fuck Beta. Fuck Dice
  34. You fail on step 1 by mangu · · Score: 1
    Reboot the computer, somehow.


    What if the computer is like my own, where I have a BIOS password *and* a padlock locking the case?

    1. Re:You fail on step 1 by Lemmeoutada+Collecti · · Score: 1

      Well, since physical access is basically required, two words... 'Bolt Cutters'

      --

      You can have it fast, accurate, or pretty. Pick any 2.
    2. Re:You fail on step 1 by reyalsnogard · · Score: 1

      Reboot difficulty? Easy: power loss.

      Happens all the time when we least suspect it (and aren't running a UPS). ;)

  35. Re:TXT? by uid8472 · · Score: 1

    And here I thought they were referring to RFC 1464: Using the Domain Name System To Store Arbitrary String Attributes....

  36. Great Hackers by Hubert_Shrump · · Score: 2, Interesting

    Larry Wall's famous quote says Great Hacker virtues include Laziness, Impatience, and Hubris.

    I would agree, and say that a Great Hacker would locate those killer ctrl codes, get a boatload of diagnostic information together, and hand all that over to the maintainer of the terminal program and then not sweat trying to figure it out themselves.

    Let someone that knows the code, and might be better able to divine what's up have a wonk at it. You could even check the diffs if it ever gets patched, and you were curious and had time to kill.

    Then, the Great Hacker would go and patch their own project to fix up the newest incoming bug report.

    Then, the Great Hacker would rest and eat of the Divine Pizza.

    And all would profit.

    --
    Keep your packets off my GNU/Girlfriend!
    1. Re:Great Hackers by @madeus · · Score: 1

      Damn :/

      That's what I was trying to say, but shorter, and included the specifc Larry Wall reference I was thinking when I wrote my reply.

      That will teach me to post a followup before reading the already posted replies. <autolart>

    2. Re:Great Hackers by Hubert_Shrump · · Score: 1

      (sticks thumbs in suspenders)

      No need to worry, we all talk out of turn here.

      Hey wait, you've got a lower UID.

      No, no excuse.

      --
      Keep your packets off my GNU/Girlfriend!
  37. "write"? by kris · · Score: 2, Informative

    You do have "mesg n" set, do you?

    If not, you are attachable by "write " as well.

    And yes, this is very, very old. Many an administrators open terminals have been taken remotely using this when I was at university.

    Kristian

  38. Obvious fix. by blair1q · · Score: 1

    tail -f /var/spool/foo/logfile | cat -uv

    Something any smart sysadmin would do, anyway, to display just exactly what was showing up in the log.

    1. Re:Obvious fix. by blair1q · · Score: 1

      Huh.

      Cygwin's manpage says it's ignored, too.

      -u means "unbuffered". 'cat -v' would wait for newlines. I wonder how linux and cygwin get around the difference. Hopefully, by always being unbuffered.

  39. Doesn't have to be a tail or log file. by TheLink · · Score: 2, Interesting

    Some programs or setups spit stuff out to the console - warnings, error messages etc.

    I remember doing something similar when testing my company's TIS FWTK setup years ago. When you used an address with unbalanced brackets, sendmail when called by smapd will grumble to the console. As a test I sent an email with a ESC sequence setting the foreground colour to black and it worked. Wasn't too surprised. Wasn't able to find an exploit for the console term at that time, and no one abused it (security through obscurity).

    Later I switched to using qmail (IIRC qmail 1.0.3 dates to 1998, the TIS FWTK has been around for quite some time). Just to test things out I also recently wrote an smtp proxy to enforce state and filter out stuff(qmail may be robust, but it tends to pass the junk unfiltered to other stuff which may be less robust).

    Some O/Ses send a many kinds of messages to the console too.

    --
  40. Forget about emulators, just hack real terminals by iamacat · · Score: 3, Informative
    VT220s in my school lab used to have a feature that you can send them ACK character and they'll reply with a string configured in the terminal menu. I used to reprogram the string to do some UNIX commands and then put ^E in my .plan - back in the days when people used finger as a web browser. Also, you could just write a simple shell script that simulated the login sequence and leave it running without logging out. On older UNIX systems, this worked even over dialup if your shell script ignored SIGHUP.

    But the later option was too risky for my taste, because the "login" process was owned by you. So instead, I wrote a doomsday shell script. It gave you a # prompt to make you believe you are running as root. It then emulated various UNIX commands. For example "jobs" showed [1] rm -rf / & and "kill" returned "Permission denied". It logged all the commands and responses to an obscure file in my home directory. Once I got our semi-knowlegable system administrator's assistant to "interact" with this script and it was quite fun reading him using kill 10 times in a row with the same arguments. She really thought the filesystem was going south.

    Terrible abuse that can be inflicted on X terminals or public lab PCs with terminal emulators is left to the imagination of the reader.

  41. Re:In short... by hardcode · · Score: 1

    You need to compile a messages file using the mc.exe message compiler, then rc -r the output to a .rc file.

    You need to regster the event source and either link the .rc file into the executable or into a .dll (for language specific error messages etc).

    Damn, I remember being a Perl & Unix hacker, hot the fsck did I end up coding for Winblows XP???

    Rich

  42. "Dumb terminal" by wirelessbuzzers · · Score: 1

    This story gives a whole new meaning to that phrase.

    --
    I hereby place the above post in the public domain.
  43. Re:In short... by Moses+Lawn · · Score: 1

    Oh god, that's right. It's all coming back...

    I remember looking at that whole business once and going back to logfiles. Although, the message/resource file business *is* a lot more maintainable and internationalizable, and the process isn't all *that* bad. Let's just say it's overkill for 90% of things.

    Windows - the Ada mindset of software development!

    Damn, I remember being a Perl & Unix hacker, hot the fsck did I end up coding for Winblows XP???

    That nice big paycheck at the end of the week helps mitigate the pain and guilt, I've found. Of course, "big" and "mitigate" are relative words.

    --

    What if life is just a side effect of some other process and God has no idea we exist?

  44. Re:In short... by hardcode · · Score: 1

    The pay helps, a lot, but hey, one day I might just take up mowing lawns for a living.

    But I did just install XP of a 2MB per inute network link - I feel dirty... *grin*

  45. I think that's nonsense! (and the meaning of IT) by @madeus · · Score: 1

    I think that's nonsense.

    I'm certainly not professing to be a great hacker, and I don't think people in that category would use that term to desribe themselves.

    However...

    Not bothering to spend the time working out why a given string crashes an xterm does not mean you are not a great hacker, let alone that you will never be one.

    All it means is there was something else you would rather do instead. Which is not a bad thing.

    Obviously, you can't fix every software bug in the world on your own - and clearly the best way to deal with them is not to try and fix them all personally, so another approach is needed.

    To put it another way:

    If everybody spent time trying to fix obscure bugs in other people's code while still trying to write their own software, all development would grind to a halt - developers would spend loads of time pouring over and trying to understand documentation for libraries and API's and going line by line through other people's, very possibly krufty, code - instead of spending time working on solving their own bugs.

    If I found such a bug, I'd be likely to contact the author informing him (and provding some details as to why), and go back to fixing *my* bugs.

    Although it's no bad thing to debug and fix bugs in other poeple's code if you have some free time and no projects of your own, it's simply far more logical and efficent to spend time fixing your own bugs.

    PS: FWIW, IMHO, 'it' is simply equal lashings of time and effort and a dollop of hubris to taste, served on a bed of sufficent basic intelligence. The 'time' and 'effort' ingredients being the hardest to come across.

  46. Re:CORRECTION to terminal emulators not susceptibl by chongo · · Score: 1
    Perhaps the following comments will help you understand how my Perl filter example protects terminal emulators ... even terminal emulators that are subject to the kind of attack discussed in the referenced article.

    Lines such as:

    $line =~ s/... some common phrase you want to ignore ...//;
    next if $line =~ m{... etc ...};

    serve as part of the ''removes certain types of messages'' processing. And lines such as:

    $line =~ s/... some field you want to ignore ...//;
    $line =~ s/... some common phrase you want to ignore ...//;

    serve as part of the ''removes certain types of ... fields'' processing. And lines such as:

    $line =~ s/^(.{1,224}).*$/$1/;

    serve as part of the ''trims to 224 characters'' processing. And lines such as:

    chomp $line;
    ...
    print "$line\n";

    ensure that each message read is printed with a trailing newline.

    To protect terminal emulators, the following lines are used:

    $line =~ s/\t/ /g;
    $line =~ s/[^ -~]/~/g;

    For systems using ASCII (and a number of other widely used character sets), it replaces potentially dangerous characters with ~ (tilde) characters. The replacement is 1-for-1, so the layout of the original message is mostly preserved.

    I say ''mostly preserved'' because a tabs are replaced with space. I prefer to view whitespace as just token separators and to reduce them where reasonable. A more complete whitespace crusher would use:

    $line =~ s/\s+/ /g;
    $line =~ s/[^ -~]/~/g;

    On the other hand, you might want to keep all whitespace as it is when tailing log messages in your terminal emulator window, so:

    $line =~ s/[^\s!-~]/~/g;

    would do the trick.

    And of course one could write the regexp to not depend on a character set order. I'll leave that exercise up to the reader. :-)

    BTW: I prefer to replace strange characters instead of tossing them. Tossing strange characters instead of replacing them could would allow a system cracker to potentially mimic a valid messages knowing that invalid chars would simply be tossed. And I usually want to know when strange chars appear in the logs.

    I hope this helps.

    --
    chongo (was here) /\oo/\
  47. FYI...GoGlobal is safe by OrbNobz · · Score: 1

    I just tried this in GoGlobal 1.63:

    bash$ echo -e "\e]2;This is the new window title\a"
    2;This is the new window title

    Dunno, maybe it's a different code number.
    Somebody let me know...
    YMMV

    - OrbNobz
    Finding more and more people obsequious, obstreperous, and ubiquitous.