| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Mar 2012 07:57:47 +0700 (NOVT) From: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov@....nsk.su> To: Mark Krenz <mark@...o.com> cc: bugtraq@...urityfocus.com Subject: Re: gnome-terminal, xfce4-terminal, terminator and others write scrollback buffer to disk On Tue, 6 Mar 2012, Mark Krenz wrote: > Testing and reproducing the issue: > ----------------------------------------------------------------------- > On Linux, if you want to see this behavior, you can do the following: > > 1. Open one of the affected terminal emulators. > 2. Make sure its scrollback buffer is set to something like 500 or > more so that it saves some of the scrollback. > 3. In the terminal, run: > ls -l /proc/$PPID/fd | grep deleted > If enough data has entered the scrollback buffer, you should start > to see unlinked (deleted) files called /tmp/vte.* > > To see the data that has been logged to /tmp, you use a command like > strings to view the contents of your /tmp partition. If you have a > seperate /tmp partition and its located on /dev/sda2, this could be done > like this: > > strings /dev/sda2 | less While the affected terminal is still running, it is much easier to directly read /proc/PID/fd/NNN files. So, I suspect it can even be possible to see a "live mirror" of a running terminal session (yes, that is possible anyway via ptrace() or /proc/FD/mem, but reading well-known-formatted files is much-much-much easier). _________________________________________ Dmitry Yu. Bolkhovityanov The Budker Institute of Nuclear Physics Novosibirsk, Russia
Powered by blists - more mailing lists