On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > control sequences may be contained in the data. I've read this [1]analysis by by H D Moore. No matter how convenient the escape sequences that allow injecting of arbitrary data as-if typed by the user might be, they should go, and they should go now. [1] http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 I will add few remarks to the abovementioned paper: (1) It's possible to covertly inject arbitrary commands in a shell command-line, by switching the echoing of characters typed off and on, letting the user press the <Ret> him-/herself. (2) There are many applications that allow bang-shell-escape, where <Ret> is used e.g. for scrolling (less(1), mutt(1)). Although the dangerous escape sequences might be filtered out [by default], this can be turned off -- And there *are* no warning signs. (3) There probably is a way of abusing e.g. the readline(3) macro ability, obviating the need of <Ret> being included in the payload; in some environments, some ordinary ASCII character might be mapped to <Ret> by default, even. (4) This is a failure to separate the security domains cleanly, by allowing the intruder to type things with the terminal owner's privileges. It breaks the security scheme very deeply, and exactly because of this, ``nobody'' would expect it. (5) Many observations made about MS Outlook & friends e.g. wrt the click-me virii apply. But this is even worse than Windows: Here any and every file may contain executable code, any and every file may carry a `virus'. Looking forward to your comments. Cheers, Jan.
Attachment:
pgpTqiX85wrAX.pgp
Description: PGP signature