Getting Hacked Through Your Terminal

hdm writes "My company recently published a paper on security issues with common terminal emulator applications. The interesting thing about these vulnerabiltiies is that many of them only require the victim to be running tail on their log files (apache, syslog, etc) for the attack to be successful. The paper (TXT) can be found here."

strings

[siliconshock.com]

just pipe your stuff through strings. it should help a bit

A simple solution

[Giant+Ape+Skeleton]

Given the profliferation of exploits related to race conditions, predictible file creation, etc,
we should henceforth re-tool our code to only make use of stateless protocols!
;-)

Re:Most exploits

But exploits that require physical access to the machine don't really mean much to anyone truly interested in security.

~~~

Not all terminal emulators were susceptible

[chongo]

For those who might be concerned (and in case the paper is /.-ed), the tested and found that the following terminal emulators were NOT susceptible to screen dump or window title attacks:

• xterm xf86 4.2.0 (patch 165)
• aterm 0.42
• rxvt 2.7.8
• Eterm 0.9.1
• konsole 3.1.0 rc5
• putty 0.53
• SecureCRT 3.4.6
• gnome-terminal 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
• hanterm-xf 2.0

I always pre-filter my logs thru a Perl script. Besides removing verbose messages that are not useful, my filters replace such non-printable characters with a printable character. Not only does it make it easier to spot strange octets on the screen, it does not depend on the terminal emulator remaining secure.

Re:Not all terminal emulators were susceptible

[Moses+Lawn]

Funny, I just did that and it worked fine (putty 0.52). Didja type it right?

The article did mention that Putty was not really susceptible to screen dump attacks, because

Although putty would place the title onto the command-line, we were not able to find a method of hiding the command, since neither the "invisible" character attribute nor the foreground color could be set. Putty has a relatively low limit to the number of characters that can be placed into the window title, so it is not possible to simply flood the screen with garbage and hope the command rolls past the current view.

This doesn't mean putty is "secure", but it's not as insecure as some others. The baddies seem to be eterm and rxvt. There's a nice description of a compromise scenario via eterm at the bottom of the article.

Re:Not all terminal emulators were susceptible

[KainX]

The baddies seem to be eterm and rxvt. There's a nice description of a compromise scenario via eterm at the bottom of the article.

Please note that the "case study" provided was contrived at best and damagingly inaccurate at worst. No official release of Eterm EVER could be used in the way they describe. Only people following CVS Eterm would ever have been open to such an attack, and those people would have updated to a fixed version almost 2 years ago.

The case study is intended to illustrate a "Worst Case Scenario" type situation, not be any sort of realistic portrayal of actual events.

Reinventing

[Sarcazmo]

So they discovered ANSI bombs over again.

Simple! Just tell Linux not to load ANSI.SYS, problem solved!

Re:Reinventing

[xchino]

Those were fun... remapping all keys to delete fun files, and then mapping the backspace key as enter :)

Worked quite often...

Talk is cheap.

[FreeLinux]

Another day, another vulnerability. These exploits are getting more bizzare and more useless every day. The risk factor here is ridiculously low.

I don't want to here about anymore useless exploits or no risk vulnerabilities. If you really want my window title, I'll telll you what it is; Getting Hacked Through Your Terminal - Konqueror

Now, when someone gets an exploit to replace the Slashdot ads with Goatse, then I'll be impressed.

Fuzzy memory

[maelstrom]

Been a long time, but I seem to recall that many popular bulletin board systems used special ANSI characters as control codes in the menus and such. The purpose was to allow the sysop the ability to dynamically add the current date, or who was online, etc. Basically server side includes for the BBS.

However, certan software would allow an attacker to insert these control codes anywhere, and not just interpret them from the menus.

Imagine the hilarity that insues once the attacker figures out the embed sequence for the drop to DOS feature. :)

Re:Fuzzy memory

[zztzed]

Wow, your memory really is fuzzy... either that or you used incredibly badly-written BBS software.

No BBS program I ever used (most of my experience is with TriBBS and RemoteAccess, but I also dabbled with Renegade and various Renegade-alikes) would parse the dynamic-content codes outside of files that would actually be displayed by the BBS. My memory's a bit fuzzy as well, so there might have been a few exceptions that I don't explicitly recall, such as allowing users with high enough access levels (e.g., sysops) to use them in messages, or allowing them in certain message bases, but under normal circumstances no one but the sysop would be allowed to use them and even then only in very limited circumstances.

Similarly, no BBS program I ever used had a "drop to DOS" sequence that could be embedded in a display file. Of course there was a menu command that would do it, but a) menus and the ANSI files displayed when users accessed them were always separate and b) the drop to DOS command would have to be explicitly defined in whatever menu for anyone to actually use it, and only insane sysops would allow a regular user access to it.

Re:Fuzzy memory

[maelstrom]

Could be, most of my experience as a Sysop was with RemoteAccess 2.02, Frontdoor 2.12, and various Renegade and WWIV boards.

And yes, it would be incredibly poor programming practice to have a code path that would allow a user to exploit this. But, consider that many boards had some kind of dynamic headers which would display on top of the regular menus or message boards.

So it could have been possible such that a user could embed a sequence in a forum message and then upon display the stupid software loads the header from disk, appends the part it has to display and then parses it for command sequences and finally displays it.

Perhaps I'm only remembering somone claiming this was possible, I never tried to exploit any BBS, I was on the other side trying to keep myself up to date so these things couldn't happen to me. Either way, it was a blast being a Sysop and its good to see I'm not the only one on Slashdot that got a start there :)

This isn't a big problem.

[Dthoma]

Someone has to be using a terminal for someone to be able to do this to them. Is it just me, or is the solution really obvious? Just chmod every thing with a command line to 000! That should keep those naughty, naughty crackers out!

Re:"Fictitious Case Study"

[drinkypoo]

The idea is probably to give a scenario so those weak on imagination have something to use to show their boss to explain why they should spend time on this issue.

Mac OSX

[fafaforza]

Apparently the OSX terminal might be susceptible to this. It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

It would be interesting to see whether actual commands can be executed if tailing /var/log/messages, but I won't be the one to find out as my PowerBook is in the shop...

Re:Mac OSX

[scrod]

The OS X Terminal doesn't seem to be vulnerable. I just tried it.

Re:Mac OSX

[Waffle+Iron]

It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

The bad news: Evil black hat hackers can use remote exploits to move the OSX terminal around the screen.

The good news: With the velvet smooth animated motion, harmonizing colors, translucent effects and drop shadows, being 0wned has never looked better!

BBS ANSI Bombs

[Leeji]

Back in the day, "Ansi Bombs" were considered an art form. With the art scene so active, you could usually embed some evil escape string in a good looking graphic and know that you were going to get people.

The problem was DOS' overly-powerful ANSI.SYS interpreter. It let you remap any key to an arbitrary set of keys, making keyboard macros pretty easy. However, it also let evildoers remap "Space" to, for example, "del *.*, enter, y, enter." Luckily, there were third party ANSI interpreters that didn't suffer this vulnerability.

One time, when I was about to reformat my HD, I even wrote an ANSI bomb to do it. Crazy stuff. There's an interesting (and of course, old) paper about it here.

Re:BBS ANSI Bombs

[rjamestaylor]

Speaking of the BBS days, when using my Mac Classic and the terminal software of the day (the name of which I forget) whenever the string
NO CARRIER+++ was displayed beginning in position 0 (left to right) the modem connection dropped. I made the mistake of sharing this newfound knowledge with my friends who proceeded to disconnect me at every possible opportunity. Of course, today I could have them arrested under the anti-terrorism laws for their purposeful denial of service attack. Hmmm...is the law retroactive??

PuTTy

[Dark+Lord+Seth]

seth@Discordia:~$ echo -e "\e]2;;echo This is to see how queer putty is\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"
Press Enter>;
seth@Discordia:~$ l;echo This is to see how queer putty is

I dare to say that putty IS vulnerable. This is what happens when I run a similiar command. Sure, it still expects an enter and anyone who takes his time to read stuff on his/her screen before blatantly hitting enter will notice the command. This was done with the latest build which I just downloaded from the site.

Uhm, no...

[loucura!]

If you had read the article, rather than just glancing through it... those were the terminal emulators he used.

Eterm was affected, Putty, Xterm, and Rxvt.

Also known as the "ANSI standard trojan horse."

[Ungrounded+Lightning]

So they discovered ANSI bombs over again.

Looks like it.

I recall the "ANSI Standard Trojan Horse" (though it was misnamed). It became quite common after ANSI standardized a cross between the VT100 and Ann Arbor Terminals escape sequences.

Simplest form was to send a "talk" mesage to a root user containing an escape sequence that programmed a hotkey with your command-to-be-run-as-root and then "hit the key" by remote control. (You could even bury it invisibly in an otherwise innocuous-looking message.)

ANCIENT stuff. What-early '70s?

Re:TXT?

[spinlocked]

In my neck of the woods TXT is practically synonymous with text messaging. No, actually it's, synonymous with the delivery of TXT msg svrl hrs aftr u snt thm...

Thread

[taviso]

The author went on to have an interesting converstaion with Micahel Jennings, author of Eterm on Bugtraq here.

Re:Thread

[Bronster]

I'm very impressed with the intelligent and humble discussion that is in that thread. They really are both trying to work out how to avoid the problem without breaking applications, rather than blamestorming or pretending it's not an issue.

Michael Jenning's comments that he's not an expert on security, but does try his best show a real sense of humour and concern for his users.

Ok, so I'm being a bit of a fanboy, but most links to discussions between open-source developers I see these days are the fights they have (on the very public mailing lists where we can see them). We tend to forget the good work they do the rest of the time.

(raises hat, or would if I was wearing one) ... and glad I use konsole, at least until a bug is found there ;)

Re:Thread

[KainX]

Thanks. :)

I started out my life on Unix as a sysadmin, and I always found it distasteful how software developers would get all pissed off at the people who reported the vulnerabilities, as if they were somehow to blame for the author's own screw-ups.

The bottom line is simply that the person who wrote the code is responsible for their own mistakes. That's really where the buck stops.

In the end, all that really matters is that things get fixed as quickly and correctly as possible for the sake of the users. Ego-sparring and public feuds accomplish nothing and are ultimately counterproductive.

CORRECTION to terminal emulators not susceptible

[chongo]

Sorry .. I made a BAD cut and paste on my original posting! SORRY!!!

The following terminal emulators were found, according to the article, to NOT be susceptible to screen dump or window title attacks:

• aterm: 0.42
• konsole: 3.1.0 rc5
• gnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
• SecureCRT: 3.4.6
• aterm: 0.42

Some asked about my Perl filter for tailing log files.

Sans typos, here is an example that removes certain types of messages and fields, checks the file every 60 seconds, picks up trailing on the new file when the log file gets rotated (moved away), trims to 224 characters and replaces unusual chars with ~'s (assuming you use ASCII).

/usr/bin/tail --retry --follow=name --max-unchanged-stats=60 /var/www/logs/access_log |
/usr/bin/perl -ne '
$line = $_;
chomp $line;
next if $line =~ m{... some regexp you want to ignore ...};
next if $line =~ m{... etc ...};
$line =~ s/... some field you want to ignore ...//;
$line =~ s/... some common phrase you want to ignore ...//;
$line =~ s/^(.{1,224}).*$/$1/;
$line =~ s/\t / /g;
$line =~ s/[^ -~]/~/g;
print "$line\n";'

As they say in perl, there is more than one way to do it. The above code fragment is just to give you the general idea.

Tailing logs...

[Urchlay]

The paper mentions injecting escape sequences into log files which are being tail -f'ed... and that there's nothing new about terminal exploits.

When I first heard about this (a couple of years back) I started using less +F for tailing logs. less will convert the escape character into the token ESC (in bold or inverse video), avoiding any escape-sequence exploits.. and also adds the benefits of being able to scroll back and search, which would make it worth using even if there were no such thing as a terminal exploit.

If you're going to leave it running for a long time, you might want to also look into the -b and -B options, to limit the amount of buffer space it will allocate: something like `less -b1024 -B +F /var/log/apache/common.log' would limit less to 1024K (1M) of buffer, which means old data will eventually be discarded, but keeps less from malloc'ing all your core. As always, Read The Fine Manual for details :)

I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

Hope this helps someone...

Re:Tailing logs...

[sfe_software]

I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

Actually that should be:

alias more=less

But otherwise, very helpful. I'd always been in the habit of using 'tail -f', even as root -- and personally I'll be using 'less +F' from now on.

Re: Can't read, can you?

[Moses+Lawn]

Well, the point of the article is to point out that, while the exploit has been around forever, it's still around, in new, supposedly state-of-the-art code (latest Enlightenment, etc.) It would be really nice if people understood this and took steps to make sure they were safe. It would be really nice if terminal emulator authors fixed these problems, or at least worked around them (config option to recognize escape sequences other than colors, perhaps).

One point that stood out at me is how many apps are vulnerable because they started with an insecure codebase. This is how exploits become common - one buggy piece of code spreads to a dozen others and never gets fixed in any of them, if only because authors say "let's add our new features instead of validating these 25,000 lines of code we started with."

Re:Most exploits

[kasperd]

For instance, you can recover a root password in just 10-15 minutes on ANY machine.

You shouldn't make such claims without any evidence.

Re: why 224 character trim?

[chongo]

My terminal emulator windows happen to use a font that, on my monitor, permits a window of width of 225 characters.

By trimming down to 224 characters, I avoid line wrap. System crackers cannot cause a very long line to wrap at just the right place to fake another entry.

Sure, I'll perhaps miss important text beyond the 225th char, but I'm willing to take that risk. Besides, the script converts tabs to a single space and removes some common fields and phrases which further cut down down on long lines. And I can always to back to the logs to look at really long lines if I want to.

And yes, maybe some terminal emulator has some long line bug somewhere. My perl script helps avoid testing it. :-)

Unstable xterm

[kasperd]

Some years ago I managed to make an xterm dump core simply by typing the contents of a binary file, which did not contain any malicious data, it just be coincidence contained a byte sequence that would cause xterm to dump core. Investigating this I found, that some sequence of 24 bytes was responsible. But if I made the xterm window larger, it would not crash from this sequence, however it turned out the original file contained another longer sequence that could also make a larger xterm dump core. I never actually understood exactly what was going on, but I found that later xterm versions does not crash from the sequences I saved from back then.

Re:Unstable xterm

[NewWazoo]

I'm feeling artistic, so I'll write.

This, in a nutshell, is why you'll never be a Great Hacker. I'm most likely projecting my own insecurities upon you, but I'm writing and you're not, so there.

I tend to notice little things like you noticed - that catting a binary file will crash my terminal. And then in a fit of boredom, I might even do as you've done and start trimming away sections of the file to find the offending string. I might even write a one-liner that will parse through it for me, automating what would otherwise be a tedious task. I'll eventually end up with a file that is 23 bytes long, and when catted, crashes the terminal.

But I won't ever find out why. That file will remain a curiosity in my $HOME/misc/, to be pondered at until I find that it no longer crashes whatever terminal program I'm using. It might even remain for a while, until one day I have a directory purging session and delete it, wondering "What the hell is this?".

And that, in my opinion, is what separates Great Hackers from the myriad of wannabes. I'm definitely a wannabe. I'm proficient at everything I do, but I'll never spend the (quite possibly small number of) hours actually finding out why that string crashes xterm, and maybe doing something useful with it. The rewards are definitely there, and I've tasted their sweetness in flashes of inspiration, but I just don't have it.

What is it? I don't know. I don't suspect that I ever will, in this particular field. I think that I might just have it in another field (racing cars), but I think it's likely that I'll be Just Proficient at that, too, much as I have been at most everything for my whole life. And that's a pretty depressing thought.

Great Hackers have it, I think. They must. In fact, part of me wants to disbelieve that it exists; that if I'd just push myself a little bit harder, that if I'd just concentrate a little more, that if I would simultaneously dig deeper into and maintain a broader view/mindset of whatever it is that I'm doing, that suddenly I'd become a Great Hacker. I'd know the formula of self-motivation, and from then on it'd be easy. But it just doesn't seem to work that way - I read the exploits of Great Hackers, and marvel at how they do their work, just knowing that I could never do that! Knowing that given the same set of curiosities, my interest or drive or whatever would sputter out, and at best I'd end up with something nifty, that I might be able to make use of in my next bout of Adequate Hacking.

I'm sitting here thinking that I want to type some sort of sage-like advice to you (whoever you are) about forcing yourself to go the extra mile, or don't be lazy, or to eat your Wheaties before you start hacking. Fact is, I know that I've missed the opportunity to grab it. I also know that I've no clue what I did "wrong", and wouldn't know what to do differently, even could I go back in time and change something. I wish that I could have it, but I know that I never will.

I'm still pretty young (19)... maybe I'll figure out how to grab it between here and there.

tail -f log | cat -v

[e40]

will take care of the tail of a log file problem...

Re:tail -f log | cat -v

[Alain+Williams]

An easier way is to use 'less' - which filters out nasty characters. You hit 'F' and it acts like 'tail -f' with the nice bonus that you can hit '^c' if you see something and want to and go back up the file to see how it started.

It does help to reread the manuals occasionally.

Re:Poking fun at Enlightenment?

[KainX]

They're obvious exaggerations for the intent of being humorous. No one should take them seriously or interpret them as anything other than playful jabs.

The more things change... 1979 version

[billstewart]

"Hackers At Berkeley Find Security Hole in the Unix, a computer made by DEC". From the Oakland Tribune or some other Bay Area paper in spring 1979. Not an exact quote, but they did say the Unix was a computer made by DEC.

A long long time ago, on a uucp-net far, far, away, we didn't use terminal emulators, we used real hardware terminals. Most of them didn't run ANSI (I don't remember if the ANSI terminal standards were defined yet, but they looked very much like a DEC VT-100 terminal), but that meant there were lots of types of terminals, all trying to achieve market differentiation by having cool features or small size or large screens or cool plastic cases. Lots of different cool features means lots of vulnerabilities. The hackers in question had REDISCOVERED AN OLD TECHNIQUE - they found ways to hand escape sequences to VT100 terminals that would get the terminal to send arbitrary text back to the computer, which in those good old command-line days meant they could do anything they wanted. All you needed to do was email somebody a message with carefully crafted character strings in it, or use the talk program to write them to their terminal (back when everybody left their ttys writeable so talk would work.) Some of the popular techniques were to abuse programmable function keys (send a sequence to put some string in F1, then another sequence to auto-trigger the F1 key), or automatic whoami-responders (VT100 had one of these), or put the terminal into loopback testing mode (letting you type anything you want.)

The Hewlett-Packard HP2621 and its relatives had two easy things to do, which didn't let you send arbitrary characters but still hosed the user - one did a reboot on the terminal (and thereby dropped the connection), while the other put it into test pattern mode (sending a long string of UUUUUU to the computer.) There may have also been some block-mode things that let you send arbitrary characters to the computer, but these two were the easiest and best-documented. A couple years later, when I was a newbie learning Unix programming and security at Bell Labs, and Robert Morris Senior (father of RTM the Worm Author) was a department head for computer security (before he went to NSA), we'd had a discussion about some techniques I was trying (which he cracked through personally :-), and a few days later, when I'd patched those holes, I was playing rogue in the evening, and one of his people talked the test pattern sequence at me. For a few seconds, I though Umber Hulks were suddenly going to eat my character, but then realized I'd been hacked, and it was one of RTM's people following up on what I'd patched and what I hadn't...

Terminology note on "hacker" as opposed to "cracker" or "vandal" - The folks at Berkeley really were hacking - tinkering with things to find their limits - and while they could potentially use their knowledge for evil, they instead told people about it, which reminded lots of us to check for potential security holes in our systems.

Re:Most exploits

[42forty-two42]

Here's how to do it on linux:

• Reboot the computer, somehow.
• Append 'init=/bin/sh' to the kernel command line at boot, then resume the boot. You will be dropped to a root shell.
• mount -t proc proc /proc
• mount -o remount,rw -t (root fs type) (root fs device) /
• passwd
• Enter the new password
• mount -o remount,ro -t (root fs type) (root fs device) /
• umount /proc
• exec /sbin/init
• The system will resume its boot. The root password will have been changed.

Great Hackers

[Hubert_Shrump]

Larry Wall's famous quote says Great Hacker virtues include Laziness, Impatience, and Hubris.

I would agree, and say that a Great Hacker would locate those killer ctrl codes, get a boatload of diagnostic information together, and hand all that over to the maintainer of the terminal program and then not sweat trying to figure it out themselves.

Let someone that knows the code, and might be better able to divine what's up have a wonk at it. You could even check the diffs if it ever gets patched, and you were curious and had time to kill.

Then, the Great Hacker would go and patch their own project to fix up the newest incoming bug report.

Then, the Great Hacker would rest and eat of the Divine Pizza.

And all would profit.

"write"?

[kris]

You do have "mesg n" set, do you?

If not, you are attachable by "write " as well.

And yes, this is very, very old. Many an administrators open terminals have been taken remotely using this when I was at university.

Kristian

Doesn't have to be a tail or log file.

[TheLink]

Some programs or setups spit stuff out to the console - warnings, error messages etc.

I remember doing something similar when testing my company's TIS FWTK setup years ago. When you used an address with unbalanced brackets, sendmail when called by smapd will grumble to the console. As a test I sent an email with a ESC sequence setting the foreground colour to black and it worked. Wasn't too surprised. Wasn't able to find an exploit for the console term at that time, and no one abused it (security through obscurity).

Later I switched to using qmail (IIRC qmail 1.0.3 dates to 1998, the TIS FWTK has been around for quite some time). Just to test things out I also recently wrote an smtp proxy to enforce state and filter out stuff(qmail may be robust, but it tends to pass the junk unfiltered to other stuff which may be less robust).

Some O/Ses send a many kinds of messages to the console too.

Forget about emulators, just hack real terminals

[iamacat]

VT220s in my school lab used to have a feature that you can send them ACK character and they'll reply with a string configured in the terminal menu. I used to reprogram the string to do some UNIX commands and then put ^E in my .plan - back in the days when people used finger as a web browser. Also, you could just write a simple shell script that simulated the login sequence and leave it running without logging out. On older UNIX systems, this worked even over dialup if your shell script ignored SIGHUP.

But the later option was too risky for my taste, because the "login" process was owned by you. So instead, I wrote a doomsday shell script. It gave you a # prompt to make you believe you are running as root. It then emulated various UNIX commands. For example "jobs" showed [1] rm -rf / & and "kill" returned "Permission denied". It logged all the commands and responses to an obscure file in my home directory. Once I got our semi-knowlegable system administrator's assistant to "interact" with this script and it was quite fun reading him using kill 10 times in a row with the same arguments. She really thought the filesystem was going south.

Terrible abuse that can be inflicted on X terminals or public lab PCs with terminal emulators is left to the imagination of the reader.

Re:Most exploits

[kasperd]

If you have physical access to a machine then yes, root password recovery takes 10-15 minutes.

There are lots of things you can easilly do with physical access to the computer, but finding the root password is not one of them. Unless something has been done to prevent it, I can bypass the root password in less than five minutes. Either pass an init argument to the kernel or boot from external media. Once the root password has been bypassed it can easilly be changed if I would want to.

Preventing boot from external media and boot arguments will slow down the process, and of course BIOS and bootloader must be password protected. But I can get a long way with a screwdriver unless the harddisk has been encrypted.

In case you want to prove your claim, please tell me what my root password is. Here is the line from my /etc/shadow file:

root:$1$3pzDB2kQ$5ZUFiFyOXsLUQ1/Ad9G7y1:12103:0:99 999:7:::

Re:Most exploits

[joto]

Well, uhmm...

This is a nice touch, but remember that it's only security by obscurity. If you have physical access to the machine, you can just as well boot from a floppy, or remove the harddisk and put it into some other computer booting from another disk.

Not that it isn't useful, though. Most sysadmins do give their users physical access to their desktop (or laptop) computers. But then the users are, at least to some degree, trusted...