(vulnwatch -> vulndiscuss at the request of the moderator) On Tuesday, 25 February 2003, at 08:07:08 (-0600), H D Moore wrote: > Would stripping escape sequences from the window title work? Do you > know of any applications that actually use this feature? Well, my gut reaction was a patch which removed all characters less than 32 from the title and icon name when setting them, and when fetching them for display changed all such characters to blanks. That would effectively disable any carriage returns/linefeeds, escape codes, shift-in/shift-out, etc. (Incidentally, I was unable to embed any such sequences in the title/icon name in 0.9.2 anyway...but I didn't try for very long, so I may have missed something.) While that would certainly disable the ability for the commands to be hidden from the user the way you mentioned (which actually tends to be ineffective on Eterm anyway, since most people don't use solid colored backgrounds...but I digress :) ), as your sample showed, it is still possible to throw a sequence of commands up onto the terminal, requiring only the press of an Enter key on the part of the user. And as UNIX (esp. Linux) gains mainstream acceptance, more novices will be using it. Since the UNIX command line is indistinguishable from line noise by the typical novice, it's not a far leap to think that one of them might pay attention to the "Press Enter" part (likely the only part which would make sense to them), not realizing the affect the command might have. Especially if it didn't produce any output. So I guess it boils down to a question of, where does "social engineering" end and "user ignorance/stupidity" begin? I think some discussion on that topic would be beneficial, at least for developers like me who would always rather do a feature right than not do it at all. And no, I'm not aware of any application which uses that feature, but with the recent batch of "shell prompt theming" applications (bashish, and the like), I wouldn't be at all surprised if there was one. > Absolutely correct, this paper was written over a period of months, > the 0.9.1 release was the latest version available with most > distributions when I made that claim. The reasons for picking on > Eterm: > > * arbitrary command execution at one point in its lifetime Yup. Major brain fart there. It was always intended solely as an interim measure, but I failed to fully consider its implications. > * arbitrary file creation with user-defined content (via clear screen) > * shared feature-sets with xterm, rxvt, etc > * great documentation for all of these features ;) If only users were as thorough in their perusal of the documentation as you were.... :-) > The vendor coordination was done through the vendor-sec mailing list > with about a three-week head start prior to disclosure. There really > weren't many true "bugs" found, just about everything covered was > implemented deliberately and could be found in the documentation of > the app. There had already been a number of debates on the > exploitability of these features, so this paper was more of a FAQ > than any sort of advisory. It wasn't my intention to catch anyone > off-guard on this, just to bring these issues back into the > limelight for a while and see if other people had a similar take on > them. Understood. As I mentioned, the only thing you mentioned that I didn't know of (and the only thing to which 0.9.2 is vulnerable) was the title setting issue, which I would just like to say was an absolutely *brilliant* piece of work. Never would I have thought to combine such a seemingly innocuous feature with a creative bit of social engineering to such a potentially devastating effect. Truly impressive, as was the report overall. Kudos. :) Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ <mej@kainx.org> n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "I don't care if you win or lose, just as long as you win." -- Vince Lombardi
