Terminal Escape Injection

栏目: IT技术 · 发布时间: 4年前

内容简介:As information security professionals, we have to deal with potentially dangerous files practically on daily basis. We run various scripts, PoC code, exploits and other things and we put trust in the utilities that read those files. Can we really trust the

As information security professionals, we have to deal with potentially dangerous files practically on daily basis. We run various scripts, PoC code, exploits and other things and we put trust in the utilities that read those files. Can we really trust them? In this article we will have a peak into the world of ANSI/VT escape sequences.

What are the escape sequences?

Quoiting from a relevant mailing list memo by Federico Bento:

A terminal escape sequence is a special sequence of characters that is printed (like any other text). But, if the terminal understands the sequence, it won’t display the character-sequence, but will perform some action.

Escape sequences can do all sorts of things. Besides of changing color of the text, making it bold or making our cursor blink, they can also:

  • Move cursor in any direction or to any position
  • Delete or erase arbitrary text
  • Perform various screen manipulations
  • Even re-map keys on our keyboard!

In short, escape sequences can adversely change the way how we see things on the terminal.

And it can have really bad consequences:

Terminal Escape Injection

And it works everywhere and with anything! For instance, here’s an example of escape injection in a Python script on Mac OS:

Terminal Escape Injection

But wait, I’m safe on Windows!

Unfortunately, you’re not. Since Windows 10 the Windows Terminal emulator also supports ANSI/VT escape sequences. And it is used by both the Command Prompt as well as the PowerShell!

So, this also works on Windows..

Terminal Escape Injection
Terminal Escape Injection

So what is going on here?

Welcome to the world of terminal escape injections, or as some folks have called it in the past – The new XSS for Linux sysadmins .

We now know that it’s not just a Linux thing – it affects every platform that uses VT/ANSI compatible terminal.

And it’s nothing new. Terminals have been with us since the dawn of computers.

There are many different terminal emulators out there and each of them can have specific escape sequences on top the common ANSI/VT ones.

When these escape sequences are used in a malicious way (with a malicious intent), it’s called terminal escape injection.

Ok, so what’s the potential impact?

The consequences of falling for this trick could be obviously very serious. Disastrous, if we are running as root / Administrator.

Basically we could be fooled into executing arbitrary code (ACE) on our system and completely compromising ourselves. For instance, an attacker could:

  • Install backdoor (RAT) on our system
  • Plant malware or rootkit on our system
  • Capture keystrokes and record our screen
  • Practically anything you can imagine really

On top of it, there has been many different vulnerabilities reported throughout the years attributed to escape injections.

Where can we find escape injections?

Apart from planting them into various scripts, they could be also successfully planted into:

  • Configuration files – potentially with the same impact (ACE)
  • Log files – as part of detection bypass efforts

So how safe is it to cat an arbitrary file?

As we have already seen, it is not safe at all. But the same can be said about the get-content command in Powershell, or the type command in the Command Prompt.

The problem with these things is that they do not sanitize the output in any way. They merely print out whatever content is there. They don’t care.

So if there is some binary content, they will just print it out and we will see some gibberish.

And if there happens to be some particular byte sequence that the ANSI/VT terminal understands as an escape sequence, then the terminal will simply interpret it.

So this is not really a bug. That’s just how things are with console applications. And as infosec professionals, we should be vigilant about the risks.

How escape injection works?

Let’s consider the following shell script with visibly displayed escape injection:

Terminal Escape Injection

Now suppose we didn’t use the -v parameter. As the cat command is displaying the content of the script line by line, the escape sequence ( ^[[2A ) will move the cursor 2 lines up – back on the position where the evil code is. And then the code will be rewritten by our benign (Hello World) code.

Note that this is just for demonstration purposes. The escape sequences are powerful enough so that we don’t need to use any benign or fake code. We could simply make the malicious lines disappear, if we wanted to.

How to avoid escape sequence attacks in terminals?

Here’s an actionable advice on how we can protect ourselves from escape injections:

UNIX/Linux

1. On UNIX based systems, beware of the utilities that output raw data. This includes:

  • cat, head, tail, more
  • curl, wget
  • diff

Do not believe their output without thoroughly inspecting it, when it matters.

2. Use cat -v to display non-printable characters or use the less command.

For instance, we should never install software from the Internet just by using curl / wget and piping it into shell. Visual analysis is not enough:

Terminal Escape Injection

We should always inspect it using cat -v or using the less command to see if there is something fishy going on:

Terminal Escape Injection

We can clearly see the nastiness there.

3. We can also use text editors such as nano, pico, vim, emacs or any other editor that we prefer.

Windows

1. In Command Prompt we can use the more command instead of the type command. The more command will reveal the escape sequences:

Terminal Escape Injection

But it doesn’t work in PowerShell.

2. In PowerShell it seems there is no way to sanitize the escape sequences by using some parameter or some other function instead of using the get-content command.

I was only able to come up with the following somewhat clumsy and complicated solutions to reveal the hidden terminal injections:

Solution 1:

gc <file> -encoding Byte | % { [char]$_+" " | write-host -nonewline }

Solution 2:

gc <file> -encoding Byte | % { if ( $_ -lt 32 -or $_ -gt 126 ) { [char]$_+" " } else { [char]$_ } } | write-host -nonewline
Terminal Escape Injection

They both work and will reveal the hidden escape injections.

3. Best solution on Windows is to always use text editors such as Notepad or WordPad. Do not rely on console utilities.

Test it for yourself

The following snippets provide instructions on how to generate all the examples shown in this article.

You can also find them on our GitHub InfosecMatter dedicated repository .

Shell script escape injection

echo -e '#!/bin/sh\n\necho "evil!"\nexit 0\n\\033[2Aecho "Hello World!"\n' > script.sh
chmod a+x script.sh

The resulting script.sh will then work on (has been tested on):

  • Linux (gnome-terminal, xterm, aterm)
  • Mac OS (Terminal 2.0, iTerm2)
  • Cygwin (Windows)

Python script escape injection

echo -e '#!/usr/bin/python\n\nprint "evil!";\nexit(0);\n#\\033[2A\\033[1Dprint "Hello World!";\n' > script.py
chmod a+x script.py

The resulting script.py will then work on (has been tested on):

  • Linux (gnome-terminal, xterm, aterm)
  • Mac OS (Terminal 2.0, iTerm2)
  • Cygwin (Windows)

Batch (Command Prompt) escape injection

echo -e '@echo off\n\r\n\recho evil!\r\n::\\033[2D  \\033[A\\033[2Decho Hello World!' > script.bat

The resulting script.bat will then work on (has been tested on):

  • Windows 10 PowerShell
  • Windows 10 Command Prompt

PS1 (PowerShell) escape injection

echo -e 'write-host "evil!"\r\n#\\033[A\\033[2Dwrite-host "Hello World!"' > script.ps1

The resulting script.ps1 will then work on (has been tested on):

  • Windows 10 PowerShell
  • Windows 10 Command Prompt

Conclusion

As we have seen in this article, terminal escape injections affect practically every modern operating system environment and they can be really nasty.

As infosec professionals, we should know about them and keep our guards up when it matters. Hopefully this article provided enough information to stay safe.

Please feel free to let us know in the comment section your thoughts.

References


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

ActionScript 3.0 Cookbook中文版

ActionScript 3.0 Cookbook中文版

Joey Lott、Adobe Dev Library / 陈建勋 / 电子工业 / 2007-11-01 / 78.00元

本书讨论了在Flash Player里执行的ActionScript3.0语言,采用问题—解法—讨论的形式讲解开发过程中常见问题的实际解法,例如:检测用户的 Flash Player 版本或操作系统;格式化日期和货币类型;接受用户输入及操作文字字符串;在运行时绘制各种形状;访问音频和视频;使用 Flash Remoting 进行远程过程调用;加载、发送和检索 XML 数据等。 全书涵盖客户端......一起来看看 《ActionScript 3.0 Cookbook中文版》 这本书的介绍吧!

随机密码生成器
随机密码生成器

多种字符组合密码

Base64 编码/解码
Base64 编码/解码

Base64 编码/解码

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具