Reading the details of CVE-2009-4487 (which is about the danger of escape sequences in log files) I am a bit surprised.
To quote CVE-2009-4487:
nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
Clearly, this is not really about a security hole in nginx, but in the terminal emulators.
Sure, perhaps cat
ing a log file to the terminal happens only by accident, but grep
ing a logfile is quite common. less
perhaps sanitizes escape sequences, but who knows what shell commands don't change escape sequences …
I tend to agree with the Varnish response:
The wisdom of terminal-response-escapes in general have been questioned
at regular intervals, but still none of the major terminal emulation
programs have seen fit to discard these sequences, probably in a
misguided attempt at compatibility with no longer used 1970'es
technology.
[..]
Instead of blaming any and all programs which writes logfiles, it would
be much more productive, from a security point of view, to get the
terminal emulation programs to stop doing stupid things, and thus fix
this and other security problems once and for all.
Thus my questions:
How can I secure my xterm, such that it is not possible anymore to execute commands or overwrite files via escape sequences?
What terminal emulators for X are secured against this attack?
Best Answer
VT100 terminals (which all modern terminal emulators emulate to some extent) supported a number of problematic commands, but modern emulators or distributions disable the more problematic and less useful ones. Here's a non-exhaustive list of potentially risky escape sequences (not including the ones that merely make the display unreadable in some way):
ENQ
(Ctrl+E
). This inserts text into the terminal as if the user had typed it. However, this text is not under control of the attacker: it is the terminal's own name, typically something likexterm
orscreen
. On my system (Debian squeeze), xterm returns the empty string by default (this is controlled by theanswerbackString
resource).ESC [ c
and friends. The terminal responds withESC [ … c
(where the…
can contain digits and ASCII punctuation marks only). This is a way of querying some terminal capabilities, mostly obsolete but perhaps used by old applications. Again, the terminal's response is indistinguishable from user input, but it is not under control of the attacker. The control sequence might look like a function key, but only if the user has an unusual configuration (none of the usual settings I've encountered has a valid function key escape sequence that's a prefix of the terminal response).ESC P
).DECUDK
(set user-defined keys) on a typical terminal emulator.DECRQSS
(Request Status String) is yet another command to which the terminal responds with an escape sequence, this time beginning with\eP
; this can be problematic since\eP
is a valid key (Alt+Shift+P).ESC P + p …
andESC P + q …
, to get and set termcap strings. From the description, this might be used at least to modify the effect of function keys.ESC [ … n
(Device Status Report). The terminal responds with an escape sequence. Most of these escape sequences don't correspond to function key escape sequences. One looks problematic: the report toESC [ 6 n
is of the formESC [ x ; y R
wherex
andy
are digit sequences, and this could look like F3 with some modifiers.ESC [ … t
.ESC [ 2 0 t
andESC [ 2 1 t
include the terminal window's icon label and title respectively, and the attacker can choose these.allowWindowOps
resource, or selectively through thedisallowedWindowOps
resource. Gnome-terminal under Ubuntu 10.04 implements even the title answerbacks by default. I haven't checked other terminals or versions.ESC ] digit ; title ESC \
. Under Screen, the escape sequence isESC k title ESC \
. I find the concern over these commands overrated. While they do allow some amount of mischief, any web page has the same issue. Acting on a window based solely on its title and not on its class is akin to opening a file whose name was given to you by an untrusted party, or not quoting a variable expansion in a shell script, or patting a rabid dog on the nose — don't complain if you get bitten.I find Varnish's response disingenuous. It's feels like it's either trying to shift the blame, or in security nazi mode (any security concern, genuine or not, justifies blackballing a feature).
Many of the answerbacks are useful features: an application does need to know things like the cursor position and the window size. Setting the window title is also very useful. It would be possible to rely entirely on
ioctl
calls for these, however this would have required additional code and utilities to make theseioctl
calls and transate them into unix-style text passing on file descriptors. Changing these interfaces now would be a lot of work, for little benefit.Text files are not supposed to contain non-printing characters such as control characters. Log files are generally expected to be text files. Log files should not contain control characters.
If you're worried that a file might contain escape sequences, open it in an editor, or view it with
less
without the-r
or-R
option, or view it throughcat -v
.