From owner-freebsd-security  Fri Sep 11 15:18:13 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA19059
          for freebsd-security-outgoing; Fri, 11 Sep 1998 15:18:13 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA19054
          for <security@FreeBSD.ORG>; Fri, 11 Sep 1998 15:18:11 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id SAA09838;
	Fri, 11 Sep 1998 18:17:30 -0400 (EDT)
Date: Fri, 11 Sep 1998 18:17:30 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Steve Reid <sreid@alpha.sea-to-sky.net>
cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, security@FreeBSD.ORG
Subject: Re: cat exploit 
In-Reply-To: <Pine.LNX.3.95.iB1.0.980911122720.9437B-100000@alpha.sea-to-sky.net>
Message-ID: <Pine.BSF.3.96.980911181310.3574U-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 11 Sep 1998, Steve Reid wrote:

> On Thu, 10 Sep 1998, Jordan K. Hubbard wrote:
> > Again, what I actually said was "don't blindly cat it to your screen"
> > which is a perfectly valid point.  If you want something which
> > protects you, use more or less as many others have suggested. 
> 
> Are ftp, telnet, rlogin, rsh, and ssh safe? What about pine, elm, mutt,
> mh, biff, etc? 
> 
> Does every program that displays data from an untrusted system have the
> necessary protections against terminal bombs?

Yes.  And I think you'll find that most of these programs already do
provide this service.  Certainly tools like 'biff' have long since been
fixed against this.  Consider this to be a denial of service attack --
that is, there is a desire to have terminal-based services, and there is a
desire to prevent them from being abused.  Some services have long since
been removed (like the ability to configure key bindings).

Others have immediate uses -- mouse support, changing the title of your
xterm, the ability to discover terminal type without asking the user every
time they log in or start a terminal.  Live without terminal interaction
between the terminal and the interactive terminal program isn't all that
much fun.  I like that programs can retrieve the size of the current
xterm, or take advantage of mouse buttons. 

However, to address these issues, it sounds like someone should submit a
patch to the X consortium and to XFree86 adding a new xterm option to
disable this.  I use more, and rely on my set of applications to provide
filtering, so I am not a prime candidate here.  Keep in mind also that
this option should not be the default, as it breaks existing functionality
that is not, by itself, insecure.

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message