Discussion:
[oss-security] terminal emulators' processing of escape sequences
Jason A. Donenfeld
2017-05-16 22:15:55 UTC
Permalink
Jason, Robert -
$ echo -ne "\eGQ;"
;$ 0
bash: 0: command not found
Does this also affect rxvt-unicode?
It does, actually. I've CCd rxvt-unicode upstream on this in order to
hear their assessment.

Regards,
Jason
Marc Lehmann
2017-05-17 01:23:14 UTC
Permalink
Post by Jason A. Donenfeld
Jason, Robert -
$ echo -ne "\eGQ;"
;$ 0
bash: 0: command not found
Does this also affect rxvt-unicode?
It does, actually. I've CCd rxvt-unicode upstream on this in order to
hear their assessment.
There can't be an assessment without knowledge of what to assess - there
is little to no information in your mail. I can only guess that somebody
for the hundredth time found out that terminals are more than dumb
display devices and got excited that, somehow, this might be a security
issue. Without knowing details, I can't say for sure, but most likely,
this is a security issue the same way blindly feeding unknown commands to
your shell is, i.e., it's a problem somewhere else - the protocol between
terminals and programs is not a (strong) security barrier.

(your echo command is bash-specific, btw.)
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / ***@schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
Robert Święcki
2017-05-17 10:51:57 UTC
Permalink
Hi,
Post by Marc Lehmann
Post by Jason A. Donenfeld
$ echo -ne "\eGQ;"
;$ 0
bash: 0: command not found
Does this also affect rxvt-unicode?
It does, actually. I've CCd rxvt-unicode upstream on this in order to
hear their assessment.
There can't be an assessment without knowledge of what to assess - there
is little to no information in your mail. I can only guess that somebody
for the hundredth time found out that terminals are more than dumb
display devices and got excited that, somehow, this might be a security
issue. Without knowing details, I can't say for sure, but most likely,
this is a security issue the same way blindly feeding unknown commands to
your shell is,
Given that arbitrary data can be pushed to terminal emulators via
seemingly harmless commands (like ping, whois) that people rather
trust to be robust enough to intetract with arbitrary whois or DNS
servers, this might be some problem.

Please consider the following example:

$ tail -n1 /etc/hosts | xxd
00000000: 3132 372e 302e 302e 3309 1b47 513b 205a 127.0.0.3..GQ; Z
00000010: 5a5a 0a ZZ.
$ ping ZZZ
PING ; (127.0.0.3) 56(84) bytes of data.
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=1 ttl=64 time=0.039 ms
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=2 ttl=64 time=0.032 ms
^[G0
^C
--- ; ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
rtt min/avg/max/mdev = 0.032/0.035/0.039/0.006 ms
^[G0
$ 0
bash: 0: command not found

I'm not sure if this works with real reverse DNS look-ups, but with
/etc/hosts it seems so.
Post by Marc Lehmann
i.e., it's a problem somewhere else - the protocol between
terminals and programs is not a (strong) security barrier.
(your echo command is bash-specific, btw.)
--
Robert Święcki
Fiedler Roman
2017-05-17 14:28:57 UTC
Permalink
Post by Marc Lehmann
Hi,
Post by Marc Lehmann
Post by Jason A. Donenfeld
A harmless example from rxvt - pushing back the new-line
$ echo -ne "\eGQ;"
;$ 0
bash: 0: command not found
Does this also affect rxvt-unicode?
It does, actually. I've CCd rxvt-unicode upstream on this in order to
hear their assessment.
There can't be an assessment without knowledge of what to assess -
there
Post by Marc Lehmann
is little to no information in your mail. I can only guess that
somebody
Post by Marc Lehmann
for the hundredth time found out that terminals are more than dumb
display devices and got excited that, somehow, this might be a
security
Post by Marc Lehmann
issue. Without knowing details, I can't say for sure, but most likely,
this is a security issue the same way blindly feeding unknown commands
to
Post by Marc Lehmann
your shell is,
Given that arbitrary data can be pushed to terminal emulators via
seemingly harmless commands (like ping, whois) that people rather
trust to be robust enough to intetract with arbitrary whois or DNS
servers, this might be some problem.
$ tail -n1 /etc/hosts | xxd
00000000: 3132 372e 302e 302e 3309 1b47 513b 205a 127.0.0.3..GQ; Z
00000010: 5a5a 0a ZZ.
$ ping ZZZ
PING ; (127.0.0.3) 56(84) bytes of data.
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=1 ttl=64 time=0.039 ms
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=2 ttl=64 time=0.032 ms
^[G0
^C
--- ; ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
rtt min/avg/max/mdev = 0.032/0.035/0.039/0.006 ms
^[G0
$ 0
bash: 0: command not found
I'm not sure if this works with real reverse DNS look-ups, but with
/etc/hosts it seems so.
It might, same as many other programs might produce quite unexpected results. For example take "apt-get update": DNS and HTTP transfer is not trusted, so arbitrary terminal commands can executed in the terminal. (If you do not have a MitM-framework at hand, just try the update using a standard Apache server with this rewrite rule and see the title of your terminal change: "RewriteRule ^/.* http://somehostename/xx\%41\%1b\%5d\%3btest\%07xxx [NE,B,R,L]" - another good reason to run your own mirrors on a network you can try to prevent MitM, perhaps over SSL.)

In my opinion, the user of the terminal might somehow also be at fault in those examples. Anyone performing an action should have an estimation, what probability of negative outcome of an action is acceptable. The probability is affected by two things: probability the user does not behave well (mistypes, forgets something, did not read all the manuals thus misusing the tools) or the software misbehaves (according to manual, it should do something else but it does not).

So if I do not really care about quality of my work, I do not fully read the manuals, I do not care about tool qualification and risk assessment, ..., so probability for such an unexpected software feature or bug (is it a bug? therefore the manual needs to state the correct behavior and I did not completely read it) should not be higher or near than my probability of failing. The probability of failing of course includes also the probability of presence of a malicious actor and his ability to raise the probability of failure due to attack surface of tools.

When trying to do things to be safe and secure, then you will care about your own quality of work (SOPs, automation, 4 eyes, ..) but also care about the risk of software failure and try to reduce it. On the terminal topic:

* Where relevant (remote maintenance, working with user supplied data, forensics of compromised equipment, ...) most likely everything is done within system virtualization with something sanitizing away unexpected data. Something like "screen sh -c 'exec bash | strings'" might come in handy or viewing files only with xxd (how likely is a 18kb binary linked to libc only to fail?). I guess it should be common sense, not to trust a some terminal being 10x the size and additionally linking 5 large libraries when it comes to work on something really valuable.

* As you are slowed down by those measures (controlsequences for highlighting, colors, try reading "man ls" that way), enabling some control sequences might also improve your quality of work. So you need to "trust" some program to do that for you, and probably you will trust some more than others. E.g. "screen" purpose is mostly screen multiplexing with control sequence sanitation, while in GUI-terminals it is only half of the program requirements.


Just for testing to see how hard it is to use all software correctly for the paranoid/malicious use case, use xterm to see the different outcomes of data sanitation measures. Try to avoid the crash from python -c 'print "\x1b]4;4;"+"A"*(1<<20)+"\x07"' . Your measures will themselves get quite annoying when working over SSH connections as local control stripping does not work nicely with remote connections and interactive terminals. With "ssh -T" you can at least read output of "ls" quite normal. It is really a pity, that SSH client does not provide control character stripping. As such a program with "secure" in the name, expectation is that there exists an appropriate development process for security and hence the program is more likely to do it right than all the various terms out there.

Conclusio: terminal escape sequence processing is way too complex, to accept it on important systems, so just do not do it. You would not read mail or open a text document on your administration machine also.


LG Roman

PS: To find out, which terminal is less dumb than others, I used the following bziped program to see if terminal crashes, writes data to stdin or otherwise misbehaves to get an estimation of the probability of software failure.

QlpoOTFBWSZTWckOfMMAAEffgFQQae/wmr////4////0MAFbTQhqSaGjRk0DEDIAMRoyGRpk0BoB
6g1T1Tymamg0DRkNADIaBkAAA0ABJIKep6hpiFP1NpGpo9JoAxBo9TQDyTZT01PUVREfq9tosGe5
mTHx8EIXYPwLbeEk4QTnmRsQ/M9KcEjg4QIkMblRAgd0HBcEwSggUTBiDBLa1jVpewypU2WEKGTQ
KSviMlg0h6tjMXFICMCGjMlbfwZ5ynd5QID98S3xjlcYgTdou4WZsbirIXAv4XjxhrOHlpyKEy5j
WGWs+hvTcINTjuvZtexP7t8HCGLkW2GMcZgQE101MADuR1GvVLs956jtwpLcbK6tkuxu2SPosUkG
1aaaNdKKeBVTTTYrw/HiS86K6tzFakd7O3gMrIre8dB+YAy/1RSuKgCqc8uXcUMMxpUcBZHxEMHh
ZBdfa7PiRqSmjlYM/7mLSxj3lUmZvzO21Ec9eUrZ4yThkxH/ObMRInOPPFUqxK6kiBf4u5IpwoSG
SHPmGA==
Daniel Kahn Gillmor
2017-05-17 13:56:27 UTC
Permalink
Post by Robert Święcki
$ tail -n1 /etc/hosts | xxd
00000000: 3132 372e 302e 302e 3309 1b47 513b 205a 127.0.0.3..GQ; Z
00000010: 5a5a 0a ZZ.
$ ping ZZZ
PING ; (127.0.0.3) 56(84) bytes of data.
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=1 ttl=64 time=0.039 ms
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=2 ttl=64 time=0.032 ms
^[G0
^C
--- ; ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
rtt min/avg/max/mdev = 0.032/0.035/0.039/0.006 ms
^[G0
$ 0
bash: 0: command not found
what version of ping are you using? I was unable to replicate this with
either the debian iputils-ping package version 3:20161105-1, or with
debian inetutils-ping package version 2:1.9.4-2+b1. neither of them seem to
do a getnameinfo() at all if it is initially supplied with an IP
address.

That said, with the same last line of /etc/hosts, getent is willing
to pass along the garbage chars:

0 ***@host:~$ getent hosts 127.0.0.3
127.0.0.3 ; ZZZ
^[G0
0 ***@host:~$ 0
bash: 0: command not found
127 ***@host:~$

--dkg
Robert Święcki
2017-05-18 00:03:04 UTC
Permalink
Hi Daniel,
Post by Daniel Kahn Gillmor
Post by Robert Święcki
$ tail -n1 /etc/hosts | xxd
00000000: 3132 372e 302e 302e 3309 1b47 513b 205a 127.0.0.3..GQ; Z
00000010: 5a5a 0a ZZ.
$ ping ZZZ
PING ; (127.0.0.3) 56(84) bytes of data.
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=1 ttl=64 time=0.039 ms
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=2 ttl=64 time=0.032 ms
^[G0
^C
--- ; ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
rtt min/avg/max/mdev = 0.032/0.035/0.039/0.006 ms
^[G0
$ 0
bash: 0: command not found
what version of ping are you using? I was unable to replicate this with
either the debian iputils-ping package version 3:20161105-1, or with
debian inetutils-ping package version 2:1.9.4-2+b1. neither of them seem to
do a getnameinfo() at all if it is initially supplied with an IP
address.
Works for me with the following:

Ubuntu 17.04's iputils-ping 3:20161105-1ubuntu2
Fedora 25's iputils-20161105-1.fc25.x86_64
Post by Daniel Kahn Gillmor
That said, with the same last line of /etc/hosts, getent is willing
127.0.0.3 ; ZZZ
^[G0
bash: 0: command not found
--
Robert Święcki
Robert Święcki
2017-05-18 00:05:24 UTC
Permalink
Hi again,
Post by Robert Święcki
Post by Daniel Kahn Gillmor
Post by Robert Święcki
$ tail -n1 /etc/hosts | xxd
00000000: 3132 372e 302e 302e 3309 1b47 513b 205a 127.0.0.3..GQ; Z
00000010: 5a5a 0a ZZ.
$ ping ZZZ
PING ; (127.0.0.3) 56(84) bytes of data.
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=1 ttl=64 time=0.039 ms
^[G0
64 bytes from ; (127.0.0.3): icmp_seq=2 ttl=64 time=0.032 ms
^[G0
^C
--- ; ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
rtt min/avg/max/mdev = 0.032/0.035/0.039/0.006 ms
^[G0
$ 0
bash: 0: command not found
what version of ping are you using? I was unable to replicate this with
either the debian iputils-ping package version 3:20161105-1, or with
debian inetutils-ping package version 2:1.9.4-2+b1. neither of them seem to
do a getnameinfo() at all if it is initially supplied with an IP
address.
Ubuntu 17.04's iputils-ping 3:20161105-1ubuntu2
Fedora 25's iputils-20161105-1.fc25.x86_64
I believe you should try with

$ ping ZZZ

With

$ ping 127.0.0.3

it doesn't do reverse lookups at all (as you'd pointed out).
--
Robert Święcki
Daniel Kahn Gillmor
2017-05-18 02:36:14 UTC
Permalink
Post by Robert Święcki
I believe you should try with
$ ping ZZZ
With
$ ping 127.0.0.3
it doesn't do reverse lookups at all (as you'd pointed out).
ah, absolutely right. that does the trick. :(

"ping -c3 ZZZ" results in 6 attempted invocations of "0" after it
completes, when using iputils-ping 3:20161105-1

Regards,

--dkg

Solar Designer
2017-05-17 11:05:30 UTC
Permalink
Post by Marc Lehmann
Post by Jason A. Donenfeld
$ echo -ne "\eGQ;"
;$ 0
bash: 0: command not found
Does this also affect rxvt-unicode?
It does, actually. I've CCd rxvt-unicode upstream on this in order to
hear their assessment.
There can't be an assessment without knowledge of what to assess - there
is little to no information in your mail. I can only guess that somebody
for the hundredth time found out that terminals are more than dumb
display devices and got excited that, somehow, this might be a security
issue. Without knowing details, I can't say for sure, but most likely,
this is a security issue the same way blindly feeding unknown commands to
your shell is, i.e., it's a problem somewhere else - the protocol between
terminals and programs is not a (strong) security barrier.
(your echo command is bash-specific, btw.)
You're right that we provided "little to no information" - sorry. I'll
correct this now.

Jason's e-mail was in part prompted by my off-list message to him, where
I wrote about this issue (or non-issue depending on one's perspective):

---
I think it's pretty bad, because unlike many other terminals' automated
responses triggered by escapes, this one includes a linefeed. So an
attack tarball/directory/whatever would include e.g. a program called
"1" and a text file with that escape sequence. When someone cat's or
more's the file, the program would automatically be invoked _if_ they
have . in PATH. While we normally shouldn't have . in PATH, I think
some people might.

The risk probability is low, but this is nevertheless a valid security
issue to patch.
---

(The pasted text appears to vary between "0" and "1".)

I haven't just "found out that terminals are more than dumb display
devices" and I haven't "got excited". This is indeed well-known, and
has been discussed for decades. I fully agree that the security barrier
should be inside each program - if a program processes untrusted input,
it must not blindly send that to the terminal. Unfortunately, this
often fails in practice - many programs don't bother, many programs
don't do it right (e.g., it's common to let the 8-bit escapes through,
especially with some now mostly obsolete 8-bit locales), there are
subtle asynchronous multi-producer issues with UTF-8, and there are
clueless or/and risk-taking users/sysadmins who "cat", etc. untrusted
files to terminals. Sometimes the overhead of avoiding such risky
actions is prohibitive - e.g., sometimes one does need to issue a SQL
query for untrusted data from a SQL shell they already have started on
their terminal.

Thus, a sentiment expressed in past discussions in here is that terminal
emulators shouldn't have the riskiest escape sequences supported by
default. It is fully expected that malicious escape sequences can make
a terminal unusable, requiring reset. It is unexpected by many users
(as you correctly say, hundreds end up rediscovering this and bringing
it up as an issue) that with some terminal emulators malicious escape
sequences, through misfeatures (rather than implementation bugs, which
often also exist), can also paste text into their shell prompt (as
above), modify X clipboard contents (in xterm, luckily no longer in
typical distros' default config), etc. Those who are aware and expect
this may prefer to have this risky and unneeded functionality disabled
by default.

It's about defense-in-depth and about not having a loaded gun hanging on
the wall unnecessarily.

In the message that started this current thread, I included links to
some recent past threads covering some of the aspects mentioned above:

http://www.openwall.com/lists/oss-security/2017/05/01/13

Alexander
Marc Lehmann
2017-05-18 02:39:50 UTC
Permalink
Post by Solar Designer
You're right that we provided "little to no information" - sorry. I'll
correct this now.
Jason's e-mail was in part prompted by my off-list message to him, where
Thanks a lot, this makes a lot more sense. The confusing part was that the
patch sent by Jason in his mail had nothing to do with this issue.
Post by Solar Designer
I think it's pretty bad, because unlike many other terminals' automated
responses triggered by escapes, this one includes a linefeed.
I agree - rxvt-unicode shouldn't reply with a LF when in secure mode (this
is a policy). The sequence in question is also not used (or even usable,
as it queries the original rxvt graphics mode which is not implemented in
urxvt), so the next version will have it disabled, at least in secure mode
(the default).
Post by Solar Designer
The risk probability is low, but this is nevertheless a valid security
issue to patch.
I agree, it is a reasonable defense in depth mechanism where the benefit
clearly outweighs the disadvantages.
Post by Solar Designer
(The pasted text appears to vary between "0" and "1".)
urxvt always replies with "\033G0\012" to indicate "graphics mode not
supported". It's quite possible the the original rxvt replies with other
sequences.
Post by Solar Designer
Thus, a sentiment expressed in past discussions in here is that terminal
emulators shouldn't have the riskiest escape sequences supported by
default. It is fully expected that malicious escape sequences can make
Again, I fully agree - I just couldn't make the connection between the
patch sent and these "riskiest escape sequences".
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / ***@schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
Continue reading on narkive:
Search results for '[oss-security] terminal emulators' processing of escape sequences' (Questions and Answers)
8
replies
whats bether ps3 or xbox 360?
started 2008-01-18 18:29:54 UTC
video & online games
Loading...