What output can a program, when executed from a command line, output to generate behavior that is a vulnerability on the terminal emulator?

Question

Reading this post, titled "Fixing Unix/Linux/POSIX filenames", I came across a VERY interesting phrase by the author, which says:

Oh, and don’t display filenames. Filenames could contain control characters that control the terminal (and X-windows), causing nasty side-effects on display. Displaying filenames can even cause a security vulnerability — and who expects printing a filename to be a vulnerability?!? In addition, you have no way of knowing for certain what the filename’s character encoding is, so if you got a filename from someone else who uses non-ASCII characters, you’re likely to end up with garbage mojibake

I've long suspected this to be the case, because sometimes accidentally running cat binary_file caused my terminal session to exit, or caused the terminal to CTRL+L itself, but I never had the knowledge to ask a sufficiently coherent question.

My question is: What output can a program, when executed from a command line, output to generate behavior that could be considered a vulnerability on the terminal emulator?

Please note I am not referring to pasting commands from websites into the command line.

I guess the same answer would apply to "What data could you put in a binary file that would exploit a vulnerability in a terminal emulator when the command `cat [file]` is executed?". — Ladadadada, Nov 01 '13 at 00:49
http://unix.stackexchange.com/questions/73713/how-safe-is-it-to-cat-an-arbitrary-file — David Houde, Nov 01 '13 at 01:23

score 2 · Accepted Answer · answered Nov 03 '13 at 08:18

I do not think that a software can send a Ctrl-Alt-Del to the system so easily, this event must come from a physical keyboard. However, what is sure is that with not-so-recent graphical terminal, such flow could be exploited to inject malicious commands.

The clue is that some terminal provide : - An escape sequence to update the window title, - Another escape sequence to report the window title back to the command line.

When a user uses a terminal sensible to this exploit (most well-known terminal have been corrected during the last few years), it is therefore possible to inject a command on the user's prompt using, for instance, a specially crafted file name (when doing a directory listing) or binary file (when using "cat").

The user would then still need to press "Enter" to execute the malicious commands, but usually there are other escape sequences allowing to trick the user (for instance empty the prompt string, change the command's foreground color to set it the same as the background, so the command itself is not visible, then display something like "Press enter to continue...").

score 0 · Answer 2 · answered Nov 01 '13 at 15:22

"Control Characters" are sequences the emulator captures in order to change the environment. Control-C to break, Control-M for a carriage return, etc. There are hundreds of them. They're key combinations, so cat'ing them from a file is the same as hammering them out on the keyboard.

Almost all of them are limited to terminal behaviour though. Might be able to force a reboot if you could figure out a way to sneak CTRL-ALT-DEL through (I don't see how, but that's about the only thing I can think of), but modern systems don't have a lot of stuff mapped to function keys anymore, so forcing those to execute isn't going to do anything.

What output can a program, when executed from a command line, output to generate behavior that is a vulnerability on the terminal emulator?

2 Answers2