From owner-freebsd-security Sun Sep 13 09:16:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA15781 for freebsd-security-outgoing; Sun, 13 Sep 1998 09:16:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA15772 for ; Sun, 13 Sep 1998 09:16:13 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id JAA05216; Sun, 13 Sep 1998 09:15:55 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdlX5211; Sun Sep 13 09:15:18 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id JAA03746; Sun, 13 Sep 1998 09:15:02 -0700 (PDT) Message-Id: <199809131615.JAA03746@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdNc3732; Sun Sep 13 09:14:57 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Karl Denninger cc: Garrett Wollman , Josef Karthauser , Jay Tribick , freebsd-security@FreeBSD.ORG, cschuber@uumail.gov.bc.ca Subject: X Security (was: Re: Err.. cat exploit.. (!)) In-reply-to: Your message of "Thu, 10 Sep 1998 13:36:15 CDT." <19980910133615.A13227@Mcs.Net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 13 Sep 1998 09:14:53 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > > < s aid: > > > > >> That's why you should normally use `more' or `less'. > > > > > Ok, but how come the interactions we describe? > > > > Most terminals, including the VT102 emulated by `xterm', include some > > mechanism for generating an ``answerback'' upon receipt of a special > > control code or sequence. (In xterm's case, that happens to be a > > control-E.) A binary file is likely enough to contain such a code. > > > > There's might be a preference you can set which will disable this > > feature in xterm, but I don't know what it might be (and if there is > > one, it's not documented). > > > > -GAWollman > > Actually, for VTxxx series terminals (and good emulators of them) as well as > most others, the problem is far worse. > > Most terminals can be made to display something, set the cursor to where the > "something" is, and then *send the line containing the something to the > host*. > > This allows ARBITRARY commands to be accidentially (read: maliciously) > executed by someone doing nothing more than displaying a file! > > This is an OLD trick, but one which still works, and if the person doing the > tricking is crafty it can be particularly dangerous. (Consider that most > termainls also have attributes such as "invisible" text available, and/or > that you can send the line, then back up again and overwrite it). > > I can craft a 40-50 byte sequence that will, if the file is "catted" as > root, give me an instant SUID root shell somewhere on the system that > you're very unlikely to find. > > Indiscriminately displaying files without terminal control enforced (ie: by > a pager) is EXTREMELY dangerous, especially if you're running with > privileges (ie: as root). That is why doing an xhost + or even and xhost hostname even to hosts that you think you trust is so dangerous. It is easy for someone to inject some "keystrokes" into an Xterm to get a root shell on a host that one is logged into. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message