viernes, octubre 26, 2007

Dangerous Bytes

Some tty scape bytes can make damage remotelly.

You can inject this byte to daemon's log, to other's tty /dev/pts/*, by irc, etc ... and put colored logs :) or invisible logs, or executing command.

0x0e Change de view mode and, the victym have to reset the terminal
0x0f Restore the view mode (like reset command)
0x1b Scape byte:

0x1b, [c inject chars to cmd
0x1b, [r page up
0x1b, [u up

0x5f close the sequence

Example:
perl -e 'print "\x1b\x[c"' > /dev/pts/4

df linux comand is 2 bytes long that are in the hexa charset,
then i'm trying to inject the df conmmand remotelly.

Apache don't log this files, is not vulnerable, but there are other clients and servers vulnerables.

1 comentario:

sharek dijo...

This problem reminds me to ANSI escape codes in old BBS ... interesting :)