Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7039466aa03ec8a90e1ce3a2ae983421.a13627b7@limousine.hussar>
Date: Fri, 20 Oct 2023 01:44:10 +0300
From: Turistu <turistu@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: with firefox on X11, any page can pastejack you
 anytime

On Thu, Oct 19, 2023 at 04:53:55PM +0000, Jeremy Stanley wrote:
> On 2023-10-19 17:04:10 +0100 (+0100), Sam Bull wrote:
> [...]
> > Also a problem with shell security. If you paste something with

That's not a problem with "shell security". Paste is just a form of
**trusted user input** (just as keyboard input). The bracketed-paste
and other features are for convenience, they're not supposed to
help against a rogue X11 app (who could just as well simulate keyboard
input with the XTest X11 extension instead of complicating itself
with setting up selections that the user has to paste).

> > line breaks into bash, it executes them. If you paste the same
> > into fish, it doesn't (it'll display the multi-line input and
> > expect you to hit the enter key to execute it as a command).
> 
> That observation may be outdated. At least my bash 5.2.15 on Debian
> does not execute pasted newlines, it treats it as a multi-line
> command and waits for an actual enter keypress

Indeed, as already described in my report. Bracketed-paste is the default
in bash on all recent systems.

> (tested inside a few
> different terminal emulators including vanilla xterm, so pretty sure
> it's not being mitigated at that layer).

It pretty much **is** mitigated at that layer. If xterm itself weren't
filtering out the ESC (ascii 0x1b) character in the pasted data, then
the bracketed-paste feature of bash or zsh could've been easily bypassed
by inserting a "\x1b[201~" escape (= end of pasted data) in the payload.
(As already mentioned in the report too).

Anyways, the examples were meant just as ... examples, as like for
illustration. I've just chosen them because they were the simplest
and cutest.

But there are a thousand more ways for an attacker to leverage that hole
in Firefox. Many programs (including Firefox itself!) could be easily
crashed by garbage data from the clipboard. Attacker-controlled data
could find its way into shell scripts via `var=$(xsel)`, etc.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.