[Info-vax] [OT] Software wears out, was: Re: VMS Software Inc. OpenVMS
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Sun Mar 29 22:28:53 EDT 2015
On 2015-03-23, Bob Koehler <koehler at eisner.nospam.decuserve.org> wrote:
> In article <mei35b$j0n$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>> On 2015-03-20, Bob Koehler <koehler at eisner.nospam.decuserve.org> wrote:
>>>
>>> Can you write Hello World in such a way that it has vulnerabilities?
>>>
>>
>> Yes:
>>
>
> IMHO, what you have written is above and beyond Hello Word.
>
> OK, I'll make it my challenge clear: an output-only application. No
> prompting.
>
I had not forgotten about this, but I wanted to leave it until I had
time to run a detailed series of tests, which happened to be this
weekend.
The general approach to trying to find an output only vulnerability
is to output binary data or escape sequences which causes output to
be reflected as input. If the program shuts itself down before
accepting any input, then the reflected input, the contents of which
need to be under the program's control, will be processed by the shell
instead.
I'm pleased to report that current terminal emulators seem to have
seriously improved their game and I was unable to find any such exploits.
The basic approach I took was to stuff the command to be executed into
the window's title bar or icon and then issue escape sequences to cause
the current title bar/icon contents to be output by the terminal
emulator into the waiting shell.
I was partially successful with a really old xterm. The command itself
was entered into the shell's input buffer and I also discovered I could
encode a delete character into the title bar to delete the first
character (which was from the enclosing escape sequence) but I couldn't
get an input termination character (such as CR) into the title bar/icon
so return had to be pressed to execute the command.
Modern xterms don't process these windows operations escape sequences
by default so this doesn't work any more.
The pterm component of PuTTY locks down the response escape sequences
out of the box by sending back a null response so it doesn't work
there however.
gnome-terminal was a bit more interesting. In the version I tried,
I kept getting back a standard response of "Terminal" (IIRC) regardless
of what I tried to set the title bar/icon to. I don't know if there's
a gnome-terminal specific way to override this behaviour using escape
sequences.
The DECterm specific programming manual doesn't seem to be available
online so I was unable to see if there's a DECterm specific escape
sequence which causes the title bar/icon text to be output to a
waiting program/shell.
I can also confirm that the finger client I tried doesn't blindly
output escape characters in a user's .plan file but turns them into
printable characters instead so the rest of the escape sequence is
disabled.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list