A look at terminal emulators, part 1
A look at terminal emulators, part 1
Posted Mar 30, 2018 20:17 UTC (Fri) by jwilk (subscriber, #63328)Parent article: A look at terminal emulators, part 1
Posted Mar 31, 2018 1:41 UTC (Sat)
by anarcat (subscriber, #66354)
[Link] (15 responses)
This would certainly be worth reporting upstream. In fact, ideally, I would have done with the other articles I wrote here and reported this issue in *all* the terminals, but really, that means a *lot* of (possibly controversial) bug reports... :)
Posted Mar 31, 2018 7:26 UTC (Sat)
by jwilk (subscriber, #63328)
[Link] (13 responses)
Posted Mar 31, 2018 15:48 UTC (Sat)
by anarcat (subscriber, #66354)
[Link] (12 responses)
https://paste.anarc.at/control-o-hack.html
Here copy-pasting this with the middle mouse button doesn't execute any code in urxvt: the ^O shows up on screen, but doesn't seem to cause the code to execute, nor does it cause the confirm-paste plugin to fire.
Posted Mar 31, 2018 21:48 UTC (Sat)
by jwilk (subscriber, #63328)
[Link] (11 responses)
Posted Mar 31, 2018 22:20 UTC (Sat)
by anarcat (subscriber, #66354)
[Link] (10 responses)
https://paste.anarc.at/control-o-hack.html
i had to tweak it a little because the leading dollar sign would get parsed by bash and confuse things a little (although cowsay would still be called)
so, i guess this should be reported against urxvt as well eh...
Posted Mar 31, 2018 23:22 UTC (Sat)
by domo (guest, #14031)
[Link] (8 responses)
Posted Mar 31, 2018 23:42 UTC (Sat)
by domo (guest, #14031)
[Link] (6 responses)
added $str =~ tr/\033//d; to my confirm-paste copy and this particular exploit is not effective anymore...
Posted Mar 31, 2018 23:54 UTC (Sat)
by domo (guest, #14031)
[Link]
--- Downloads/confirm-paste.txt 2018-04-01 02:49:34.886913091 +0300
Posted Apr 2, 2018 8:41 UTC (Mon)
by jwilk (subscriber, #63328)
[Link] (4 responses)
Posted Apr 3, 2018 14:12 UTC (Tue)
by anarcat (subscriber, #66354)
[Link] (3 responses)
Posted Apr 3, 2018 21:30 UTC (Tue)
by domo (guest, #14031)
[Link] (1 responses)
my $count = ($str =~ tr/[\0-\010\012-\037]//);
i.e. all ascii codes below 32 except tab, to trigger confirm-paste.
Posted Apr 4, 2018 13:39 UTC (Wed)
by mgedmin (subscriber, #34497)
[Link]
Posted Apr 5, 2018 6:56 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
Personally I tend to paste into a GUI text editor before pasting into the terminal.
I sometimes wonder if anyone did any fuzzing of paste routines in those editors.
Posted Apr 12, 2018 12:24 UTC (Thu)
by okapi (guest, #111261)
[Link]
If bash inteprets a Ctrl-O, even with enable-bracketed-paste then that's a readline bug. More likely, your configuration is wrong somehow. In my testing, I get a literal ^O in the line.
Posted Apr 22, 2018 8:06 UTC (Sun)
by jwilk (subscriber, #63328)
[Link]
Bracked paste bypass was reported in 2015: https://bugs.debian.org/787628
Apparently upstream is not interested in fixing it.
Posted Mar 31, 2018 9:14 UTC (Sat)
by tpo (subscriber, #25713)
[Link]
Posted Apr 1, 2018 18:17 UTC (Sun)
by xtifr (guest, #143)
[Link] (2 responses)
Not a universal solution, I realize, but should provide a good stopgap, if you're personally worried about this.
Posted Apr 2, 2018 7:01 UTC (Mon)
by tpo (subscriber, #25713)
[Link] (1 responses)
bind -r "^O"
You need to enter the "^O" there as CTRL-v CTRL-o.
Posted Apr 2, 2018 7:38 UTC (Mon)
by xtifr (guest, #143)
[Link]
It's a little confusing that it doesn't use the same syntax as .inputrc, but such is life...
You can also say "bind -u operate-and-get-next" to remove the binding of that function from *all* keys.
Though honestly, now that I look at it, it's a handy command I wish I'd known about before, and I may end up binding it to some other key, despite it's (relatively mild) danger.
Posted Apr 9, 2018 21:27 UTC (Mon)
by anarcat (subscriber, #66354)
[Link]
A look at terminal emulators, part 1
A look at terminal emulators, part 1
<html>$ echo Hello <span style="position: absolute; left: -100px; top: -100px">| cowsay pwned</span> world</html>
(Tested with Firefox 52.7.3 + urxvt 9.22 + bash 4.4.18)
A look at terminal emulators, part 1
Do you have bracket paste enabled in inputrc? My exploit doesn't defeat it, although it could. It's a matter of adding [201~ before .
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
Here is the full diff compared to confirm-paste in urxvt github repository:
+++ dotdir/urxvt/chomp-and-confirm-paste 2018-04-01 02:40:11.030578963 +0300
@@ -21,9 +21,14 @@
sub on_tt_paste {
my ($self, $str) = @_;
+ chomp $str; $str =~ tr/\033//d;
+
my $count = ($str =~ tr/\012\015//);
- return unless $count;
+ unless ($count) {
+ $self->tt_paste ($str);
+ return 1;
+ }
$self->{paste} = \$str;
$self->msg ("Paste of $count lines, continue? (y/n)");
Enumerating badness usually doesn't end well. There are other control sequences that could be used for code execution (^[^E and ^X^E at least). Proof of concept exploits:
A look at terminal emulators, part 1
The latter works only if your editor is terminal-based and uses vi keybindings.
$({ echo; cowsay pwned; }>&2)[201~
[201~Dicowsay pwnedZZ
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
As it turns out, this specific issue was discussed elsewhere before. A friend pointed me towards this discussion. As it turns out, the conclusion was basically "meh, we know":
Other related discussions and possible CVEs
This is posted here every few months. Frankly, there's a lackluster care in
fixing this in these terminals.
For terminals, here's a decent avenue (gnome-terminal as example):
https://turbochaos.blogspot.com/2014/08/journalctl-terminal-escape-injection.html
That latter thread is even more disturbing, in a way...