Sometimes when I cat a binary file by mistake, my terminal gets garbled up. Nothing a quick reset can’t fix, but couldn’t an attacker theoretically create a file that, when displayed on a terminal, would execute some arbitrary code? Through an exploit in the terminal emulator or otherwise.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Whether such output can be exploited depends on the terminal program, and what that terminal does depending on escape codes that are being sent.
I am not aware of terminal programs having such exploitable features, and the only problem now would be if there is an unknown buffer overflow or something like that, that could be exploited.
With some older hardware terminals this could be a problem as you programmed e.g. function keys with these kind of escape sequences, by storing a command sequence for that key in the hardware. You would still need a physical key-press to activate that.
But there are always (as Hauke so righfully marked ‘braindead’) people willing to add such a feature if it solves a problem for them, not understanding the loophole they create. In my experience with open source software is that, because of the many eyes looking at the code, this is less likely to happen as with closed source. (I remember that in the mail program on Silicon Grahpics’ Irix, in the mid ninetees, you could include commands to be executed on the receivers machine, real paths to executables, ….)
Method 2
Most terminal emulators will send back some response, if they receive certain escape sequences (have a look at the xterm control sequences documentation). E.g., you can send e[0c to a VT100-like emulator and it will send back the device attributes,
something like e[?1;2c
(This is probably what Keith observed.) But these answers are not arbitrary strings. Still, having an executable named 2c somewhere on your system that does something fatal is a bad idea.
Update: The risks are in fact bigger than I thought, due to the possibility to set the title of an xterm window and to send back the title using appropriate escape sequences (http://www.securityfocus.com/bid/6940/). In contrast to the example above, the title can be an almost arbitrary string.
Method 3
This changes the terminal title in GNOME Terminal 3.6.1, unless overridden by something like PS1:
printf "33]2;Script Kiddie was here07"
Now open a new GNOME Terminal window to test the cat version:
printf "33]2;Script Kiddie was here07" > test.bin cat test.bin
Yep, this also sets the terminal title.
There used to be a security issue with an escape code resulting in the title being printed to the command line, so you could effectively create a file, which when cated would print (I’m not sure if you could put a newline in there) arbitrary commands. Ouch!
Method 4
While using cat might not result in code execution, escape codes will be processed so you could easily be misled into thinking the script is harmless when in fact it is malicious.
Here is an example command you can run which will create a “malicious” shell script:
echo -e '#!/bin/shnecho "...doing something bad here..."nexitn33[A33[Aecho "Hello dear reader, I am just a harmless script, safe to run me!"' > demo.sh chmod a+x demo.sh
When you inspect the file, it seems harmless enough:
$ cat demo.sh #!/bin/sh echo "Hello dear reader, I am just a harmless script, safe to run me!"
But should you actually run it…
$ ./demo.sh ...doing something bad here...
The script works by including raw escape codes to move the cursor up a couple of lines, so the rest of the script is written over the top of the malicious code, hiding it.
Nearly any other program will reveal the script for what it is. Only programs that don’t process the file content (like cat, more and less -r) will produce the misleading output.
Note that tail and head also produce the same misleading output. Using “less +F” is therefore safer than “tail -f”.
Method 5
I have definitely experienced xterm inserting arbitrary characters into itself as if I had typed them. And on occasion this has apparently included newline character, so that I got ngwerm:0riu: command not found as a response. I see no reason why someone could not craft a file that would send specific, harmful commands. So yes, at least some terminals are susceptible to attacks with arbitrary impact.
Method 6
Well, a terminal emulator basically simply prints out the characters sent to it.
Anything besides simply printing a character on the current position, like setting a new position, changing color, changing title, etc., is done by escape sequences.
The set of supported escape sequences usually consists of well defined standards like ANSI, which does not define a way to start other processes. Although it would be possible to implement such a sequence, I am not aware of any terminal emulator intentionally allowing such things.
In theory a bug like a buffer overflow might be used to trigger arbitrary functionality. But this would be possible in pretty much any other binary, too.
Method 7
In general there is usually no risk to catting an arbitrary file. My usual method for analyzing a file is to do the following:
$ file <mystery file> $ strings <mystery file> | less
The above allows me to determine a file’s type through the file command and the strings command allows me to dump any identifiable strings from would-be binary files that I”m not sure about their lineage.
example
file output
$ file /bin/ls /bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped
strings output
$ strings /bin/ls|less ... across vertical single-column force never auto if-tty slash %b %e %Y %b %e %H:%M long-iso main posix- sort_files ?pcdb-lswd dev_ino_pop Try `%s --help' for more information. Usage: %s [OPTION]... [FILE]... List information about the FILEs (the current directory by default). Sort entries alphabetically if none of -cftuvSUX nor --sort. Mandatory arguments to long options are mandatory for short options too. -a, --all do not ignore entries starting with . -A, --almost-all do not list implied . and .. ...
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0