Tweet
Terminally Owned - 60 years of escaping
David Leadbeater, Open Source Engineer, G-Research, He/Him,
Exploit | 45
It is 60 years since the first publication of the ASCII standard, something we
now very much take for granted. ASCII introduced the Escape character;
something we still use but maybe don't think about very much. The terminal is a
tool all of us use. It's a way to interact with nearly every modern operating
system. Underneath it uses escape codes defined in standards, some of which
date back to the 1970s.
Like anything which deals with untrusted user input, it has an attack surface.
20 years ago HD Moore wrote a paper on terminal vulnerabilities, finding
multiple CVEs in the process. I decided it was time to revisit this class of
vulnerability.
In this talk I'll look at the history of terminals and then detail the issues I
found in half a dozen different terminals. Even Microsoft who historically
haven't had strong terminal support didn't escape a CVE. In order to exploit
these vulnerabilities they often need to be combined with a vulnerability in
something else. I'll cover how to exploit these vulnerabilities in multiple
ways.
Overall this research found multiple remote code execution vulnerabilities
across nearly all platforms and new unique ways to deliver the exploits. ,
David is a software engineer for G-Research, his day job is working on
Kubernetes and other cloud technologies. His security interests center around
networks and how to break them in surprising ways. He believes that we need to
understand more historical vulnerabilities in order to fix current issues and
so spends his spare time researching codebases or technologies that no-one else
thinks to look at. In addition when he can put it in DNS, he will, creating
such hits as "Wikipedia over DNS" and "Wordle over DNS".
He aims to find more CVEs than he creates and is currently succeeding.
@davidgl, Mastodon: @dgl@infosec.exchange
https://dgl.cx
REFERENCES:
Key citations:
- HD Moore, 2003, "Terminal Emulator Security Issues";
https://marc.info/?l=bugtraq&m=104612710031920&w=2
- Eviatar Gerzi, 2022; "Don't Trust This Title: Abusing Terminal
Emulators with ANSI Escape Characters"
https://www.cyberark.com/resources/t...ape-characters
- Phrack, 1994, Speaker s Corner file 4 "Line Noise" - flash.c;
http://phrack.org/issues/46/4.html
- Mitre; CWE-150; https://cwe.mitre.org/data/definitions/150.html
- Paul Szabo, 2008, CVE-2008-2383;
https://bugs.debian.org/cgi-bin/bugr...cgi?bug=510030
Other interesting sources:
- Nicholas Boucher and Ross Anderson, 2021, "Trojan Source: Invisible
Vulnerabilities"; https://trojansource.codes/
- Thomas Dickey, 2023, "XTerm Control Sequences";
https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
- Bob Bemer, "That Powerful ESCAPE Character",
https://web.archive.org/web/20010411...com/ESCAPE.HTM
- Lear Siegler, 1979, "ADM-3A Operator's Manual";
https://vt100.net/lsi/adm3a-om.pdf
- Digital Equipment Corporation, 1994, "VT520/VT525 Video Terminal
Programmer Information";
http://web.mit.edu/dosathena/doc/www/ek-vt520-rm.pdf
- Paul Flo Williams, "A parser for DEC's ANSI-compatible video
terminals." VT100.net; https://vt100.net/emu/dec_ansi_parser
- Konstantinos Foutzopoulos, 2021, "Sixel for terminal graphics";
https://konfou.xyz/posts/sixel-for-terminal-graphics/
- https://agimcami.files.wordpress.com...ivisto-com.pdf,
unknown origin, but good references
- Unicode Consortium, Mark Davis et al., 2014; Unicode Technical
Report #36; https://unicode.org/reports/tr36/
- Unicode Consortium, Robin Leroy, et al., 2023; Draft Unicode
Technical Standard #55; https://www.unicode.org/reports/tr55/
My posts to oss-security so far:
- rxvt-unicode CVE-2022-4170;
https://www.openwall.com/lists/oss-s...y/2022/12/05/1
- xterm CVE-2022-45063; https://www.openwall.com/lists/oss-s...y/2022/11/10/1
- less CVE-2022-46663; https://www.openwall.com/lists/oss-s...y/2023/02/07/7 ,