[clug-talk] On the topic of security... how any program, even 'cat', can own your system RIGHT NOW!
Mark Carlson
carlsonmark at gmail.com
Thu Jan 8 08:02:53 PST 2009
Last night at the meeting, someone asked me if 'cat' could be used to
run a program on a system. We had a good laugh about it, but
apparently it's true... I was able to get 'cat' to run any program I
wanted on my system, and here's how.
I was checking my nightly emails this morning, and noticed a very alarming bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
This is on my FreeBSD system, but the FreeBSD bug report just linked
to the Debian one which has all the juicy details!
The jist of it is, XTerm 222-letch2 (223 on FreeBSD) is broken, so if
XTerm displays a specific string, it will execute any command you
want!
For example: (From debian.org)
# perl -e 'print "\eP\$q\nbad-command\n\e\\"'
Executes bad-command... and it actually works!
Another simple example:
# perl -e 'print "\eP\$q\necho hello\n\e\\"' > /tmp/badfile
# cat /tmp/badfile
This puts the offending string into a file (imagine this was in a log
file you often view as root!)
Then, when cat is called on the file, the program "echo hello" is
executed and "hello" is printed to the screen!
-Mark C.
More information about the clug-talk
mailing list