Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150903184220.GB99086@kcwu.csie.org>
Date: Fri, 4 Sep 2015 02:42:20 +0800
From: Kuang-che Wu <kcwu@...e.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: screen stack overflow (deep
 recursion)

On Thu, Sep 03, 2015 at 02:16:34PM +0300, Solar Designer wrote:
> On Thu, Sep 03, 2015 at 09:36:29AM +0300, Solar Designer wrote:
> > On Thu, Sep 03, 2015 at 05:25:11AM +0000, Fiedler Roman wrote:
> > > What about "tail -f /var/log/syslog", Apache or other kind of logs for
> > > debugging? [Yes, that's often how logs are running over the screen in videos
> > > when talking about IT-security]. It's convenient and I'm using screen
> > > exactly to avoid any injection of commands via TIOCSTI into my current TTY
> > > when a context switch is needed before starting tail, e.g. when working with
> > > LXC containers.
> > 
> > "tail -f" on a log file is indeed very common, but it is bad practice
> > (akin to other very common bad practices like a sysadmin going into a
> > user's homedir as root).  A safer alternative in terms of terminal
> > escapes is the "F" keypress in "less -nU" (or in "less -nUEX" to more
> > closely resemble "tail -f").  Unfortunately, I am not aware of a
> > command-line option that would do this (that is, assume that "F" was
> > pressed right away) - perhaps one should be added, if it's not already
> > in there.
> 
> Dmitry V. Levin pointed out to me off-list that less already provides a
> way to specify its normally interactive commands on the command line.
> The man page says:
> 
>        +cmd   Causes the specified cmd to be executed each time a new file  is
>               examined.  For example, +G causes less to initially display each
>               file starting at the end rather than the beginning.
> 
> and indeed e.g. "less -nUEX +F" works as desired.
> 

Reading log is just one example that termainal control sequence
exposure. It's diffcult to remember do everything with | less.
Untrusted text output is hidden everywhere unexpectedly.

1. If for some reason, you need to run untrusted code. No matter you use
what kind of container, sandbox, VM, or even dedicated physical machine, you
probably still use terminal to interact with it. 

2. Even with trusted code, I have verified following mentioned programs
would output terminal control code as-is unescaped. (on ubuntu)

a. If you need to deal with untrusted data using trusted programs.
- use gcc to compile untrusted code, it will show lines for warnings
- git log, git diff on untrusted code. If the output is short, git won't
  invoke pager.
- use zipnote(1) to read comments in zip file.

b. If there is an untrusted user on your machine, he may 
create files with malicious name.
$ touch $(echo -e '\e[1;33mhello\e[m\e[10000000T')
- du(1) and locate(1) would output that name as-is.
- If you, as root, want to check other users' crontab. 
  "crontab -l -u user" wound not escape control code, too.
- If the user can use lp(1) to send print job to printer,
$ echo test | lp -t '^[[1;33mhello^[[m^[[10000000T' -H hold
-t to set job name, and hold the print job.
Administrator may use lpq(1) to list print job.

c. I haven't tried, but I guess ping, dig, nslookup, whois, ftp, etc.
may not escape output.

BTW, here are summary what I found when fuzzing terminal emulaters.
- libteken: assertion fail, which lead to FreeBSD kernel panic. [1][2][3]
- mosh: assertion fail [4], lead to mosh-server DoS.
- tmux: double free, or invalid argument to free/malloc/realloc [5]
  I guess there are no RCE with glibc's malloc heap protection, no sure.
- screen: stack overflow[6], and many others
- rxvt-unicode: out of bound read [7], and many others


[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202326
[2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202540
[3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202612
[4] https://github.com/mobile-shell/mosh/issues/667
[5] https://github.com/tmux/tmux/commit/3219e0314e3d1d39a57db330faa5693ce0264244
[6] https://savannah.gnu.org/bugs/?45713
[7] http://lists.schmorp.de/pipermail/rxvt-unicode/2015q3/002155.html

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.