A look at terminal emulators, part 1
A look at terminal emulators, part 1
Posted Mar 31, 2018 7:26 UTC (Sat) by jwilk (subscriber, #63328)In reply to: A look at terminal emulators, part 1 by anarcat
Parent article: A look at terminal emulators, part 1
<html>$ echo Hello <span style="position: absolute; left: -100px; top: -100px">| cowsay pwned</span> world</html>(Tested with Firefox 52.7.3 + urxvt 9.22 + bash 4.4.18)
Posted Mar 31, 2018 15:48 UTC (Sat)
by anarcat (subscriber, #66354)
[Link] (12 responses)
https://paste.anarc.at/control-o-hack.html
Here copy-pasting this with the middle mouse button doesn't execute any code in urxvt: the ^O shows up on screen, but doesn't seem to cause the code to execute, nor does it cause the confirm-paste plugin to fire.
Posted Mar 31, 2018 21:48 UTC (Sat)
by jwilk (subscriber, #63328)
[Link] (11 responses)
Posted Mar 31, 2018 22:20 UTC (Sat)
by anarcat (subscriber, #66354)
[Link] (10 responses)
https://paste.anarc.at/control-o-hack.html
i had to tweak it a little because the leading dollar sign would get parsed by bash and confuse things a little (although cowsay would still be called)
so, i guess this should be reported against urxvt as well eh...
Posted Mar 31, 2018 23:22 UTC (Sat)
by domo (guest, #14031)
[Link] (8 responses)
Posted Mar 31, 2018 23:42 UTC (Sat)
by domo (guest, #14031)
[Link] (6 responses)
added $str =~ tr/\033//d; to my confirm-paste copy and this particular exploit is not effective anymore...
Posted Mar 31, 2018 23:54 UTC (Sat)
by domo (guest, #14031)
[Link]
--- Downloads/confirm-paste.txt 2018-04-01 02:49:34.886913091 +0300
Posted Apr 2, 2018 8:41 UTC (Mon)
by jwilk (subscriber, #63328)
[Link] (4 responses)
Posted Apr 3, 2018 14:12 UTC (Tue)
by anarcat (subscriber, #66354)
[Link] (3 responses)
Posted Apr 3, 2018 21:30 UTC (Tue)
by domo (guest, #14031)
[Link] (1 responses)
my $count = ($str =~ tr/[\0-\010\012-\037]//);
i.e. all ascii codes below 32 except tab, to trigger confirm-paste.
Posted Apr 4, 2018 13:39 UTC (Wed)
by mgedmin (subscriber, #34497)
[Link]
Posted Apr 5, 2018 6:56 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
Personally I tend to paste into a GUI text editor before pasting into the terminal.
I sometimes wonder if anyone did any fuzzing of paste routines in those editors.
Posted Apr 12, 2018 12:24 UTC (Thu)
by okapi (guest, #111261)
[Link]
If bash inteprets a Ctrl-O, even with enable-bracketed-paste then that's a readline bug. More likely, your configuration is wrong somehow. In my testing, I get a literal ^O in the line.
Posted Apr 22, 2018 8:06 UTC (Sun)
by jwilk (subscriber, #63328)
[Link]
Bracked paste bypass was reported in 2015: https://bugs.debian.org/787628
Apparently upstream is not interested in fixing it.
A look at terminal emulators, part 1
Do you have bracket paste enabled in inputrc? My exploit doesn't defeat it, although it could. It's a matter of adding [201~ before .
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
Here is the full diff compared to confirm-paste in urxvt github repository:
+++ dotdir/urxvt/chomp-and-confirm-paste 2018-04-01 02:40:11.030578963 +0300
@@ -21,9 +21,14 @@
sub on_tt_paste {
my ($self, $str) = @_;
+ chomp $str; $str =~ tr/\033//d;
+
my $count = ($str =~ tr/\012\015//);
- return unless $count;
+ unless ($count) {
+ $self->tt_paste ($str);
+ return 1;
+ }
$self->{paste} = \$str;
$self->msg ("Paste of $count lines, continue? (y/n)");
Enumerating badness usually doesn't end well. There are other control sequences that could be used for code execution (^[^E and ^X^E at least). Proof of concept exploits:
A look at terminal emulators, part 1
The latter works only if your editor is terminal-based and uses vi keybindings.
$({ echo; cowsay pwned; }>&2)[201~
[201~Dicowsay pwnedZZ
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1
A look at terminal emulators, part 1