Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

Getting Hacked Through Your Terminal 204

Posted by timothy from the nothing-new-under-the-sun dept.
hdm writes "My company recently published a paper on security issues with common terminal emulator applications. The interesting thing about these vulnerabiltiies is that many of them only require the victim to be running tail on their log files (apache, syslog, etc) for the attack to be successful. The paper (TXT) can be found here."
This discussion has been archived. No new comments can be posted.

Getting Hacked Through Your Terminal More

Getting Hacked Through Your Terminal

Comments Filter:
  • Most exploits that existed over 5 yrs ago are still valid.

    For instance, you can recover a root password in just 10-15 minutes on ANY machine.

    • Re:Most exploits (Score:2, Insightful)

      by Anonymous Coward
      But exploits that require physical access to the machine don't really mean much to anyone truly interested in security.

      ~~~

    • Re:Most exploits (Score:4, Insightful)

      by kasperd ( 592156 ) on Saturday March 01, 2003 @08:01PM (#5415724) Homepage Journal
      For instance, you can recover a root password in just 10-15 minutes on ANY machine.

      You shouldn't make such claims without any evidence.
      • If you have physical access to a machine then yes, root password recovery takes 10-15 minutes. I seriously doubt it takes that little time to do it remotely, however.

        • Re:Most exploits (Score:3, Interesting)

          by kasperd ( 592156 )
          If you have physical access to a machine then yes, root password recovery takes 10-15 minutes.

          There are lots of things you can easilly do with physical access to the computer, but finding the root password is not one of them. Unless something has been done to prevent it, I can bypass the root password in less than five minutes. Either pass an init argument to the kernel or boot from external media. Once the root password has been bypassed it can easilly be changed if I would want to.

          Preventing boot from external media and boot arguments will slow down the process, and of course BIOS and bootloader must be password protected. But I can get a long way with a screwdriver unless the harddisk has been encrypted.

          In case you want to prove your claim, please tell me what my root password is. Here is the line from my /etc/shadow file:
          root:$1$3pzDB2kQ$5ZUFiFyOXsLUQ1/Ad9G7y1:12103:0:99 999:7:::
          • Well, when I said password recovery, what I meant is what I did the last time I forgot my root password on my laptop. I went in with a boot floppy and copy/pasted the admin password (which I still knew) over the root password. This is what normal people asssociate with password recovery, since only an insecure system (like IRC services) will tell you the 'old' password.
            That being said, there Are tools that take an /etc/shadow file and spew out the password, they take a lot longer than 15 minutes to do so though.
            I will tell you why that password can be broken. The key used to crypt the password is itself. There is a limit to the types of characters, and the number that can be used in a unix password. a bruteforce decryptor can be built that will try every possible combination, starting with the most likely root passwords, and essentially it's just a matter of waiting for the program to find the only string that decrypts the encrypted string to itself.
            I don't have the patience nor the desire to run your shadow entry through a brute force decryptor... but the reason the shadow file exists is because on shell machines there are people with the patience and the desire to run those shadow entries through a brute force decryptor. Even if it takes them a week to get the password because the system had a relatively secure password.
          • "bEnDoVeRtAkEiTlIkEaMaN!"

    • Re:Most exploits (Score:4, Informative)

      by 42forty-two42 ( 532340 ) <bdonlan.gmail@com> on Saturday March 01, 2003 @11:20PM (#5416569) Homepage Journal
      Here's how to do it on linux:
      • Reboot the computer, somehow.
      • Append 'init=/bin/sh' to the kernel command line at boot, then resume the boot. You will be dropped to a root shell.
      • mount -t proc proc /proc
      • mount -o remount,rw -t (root fs type) (root fs device) /
      • passwd
      • Enter the new password
      • mount -o remount,ro -t (root fs type) (root fs device) /
      • umount /proc
      • exec /sbin/init
      • The system will resume its boot. The root password will have been changed.
    • As far as I'm aware you can't recover the root password in any reasonable timespan (unless it's badly chosen, or you have a few Earth Simulators handy). You can however change it in a couple of minutes if you have physical access to the machine (reboot to single user, mount fs, passwd). Hardly stealthy though...

  • strings (Score:3, Informative)

    by siliconshock.com ( 531040 ) <slashdot.siliconshock@com> on Saturday March 01, 2003 @06:27PM (#5415240) Homepage
    just pipe your stuff through strings. it should help a bit

  • A simple solution (Score:4, Funny)

    by Giant Ape Skeleton ( 638834 ) on Saturday March 01, 2003 @06:27PM (#5415247) Homepage
    Given the profliferation of exploits related to race conditions, predictible file creation, etc,
    we should henceforth re-tool our code to only make use of stateless protocols!
    ;-)

    • Re:A simple solution (Score:1, Funny)

      by Anonymous Coward
      You mean like HTTP?
      No-one was ever attacked through port 80.
    • I know this is a joke, but it's really worth thinking about for a second.

      In a true stateless protocol people need to send a request that ammounts to "send me /etc/passwd" or "echo foo > /etc/...". You're unlikely to honor this and some simple checks can make sure you don't write to the wrong place.

      Many bugs are in the user-identification and verification routines. Web sites let you do, if you've got the right cookie, nasty things that they shouldn't let you do. Not only does your initial verification need to be secure, but your storing of cookie data in such a way as to let the user back on, with access, needs to be fairly secure. Providing state introduces many bugs you otherwise wouldn't have.

      Now, this isn't to say that everything should be stateless, but that you should think about how much time you save by letting people not enter their password at every use, versus the potential risks. Especially if you're coding the security sections yourself. Trusting .htaccess is pretty easy, Apache gets a lot of testing. Trusting your perl CGI script you coded the night before...
  • For those who might be concerned (and in case the paper is /.-ed), the tested and found that the following terminal emulators were NOT susceptible to screen dump or window title attacks:

    • xterm xf86 4.2.0 (patch 165)
    • aterm 0.42
    • rxvt 2.7.8
    • Eterm 0.9.1
    • konsole 3.1.0 rc5
    • putty 0.53
    • SecureCRT 3.4.6
    • gnome-terminal 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
    • hanterm-xf 2.0

    I always pre-filter my logs thru a Perl script. Besides removing verbose messages that are not useful, my filters replace such non-printable characters with a printable character. Not only does it make it easier to spot strange octets on the screen, it does not depend on the terminal emulator remaining secure.

    • PuTTy (Score:5, Informative)

      by Dark Lord Seth ( 584963 ) on Saturday March 01, 2003 @07:04PM (#5415457) Journal
      seth@Discordia:~$ echo -e "\e]2;;echo This is to see how queer putty is\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"

      Press Enter>;
      seth@Discordia:~$ l;echo This is to see how queer putty is

      I dare to say that putty IS vulnerable. This is what happens when I run a similiar command. Sure, it still expects an enter and anyone who takes his time to read stuff on his/her screen before blatantly hitting enter will notice the command. This was done with the latest build which I just downloaded from the site.

    • This smells like a troll. The article said Eterm 0.9.1 and hanterm both were vurnerable iirc. It also said Eterm 0.9.2 had improved in the area, but that it should be given an award for being the most vulernerable. I'm kinda scared to use Eterm now.
      • If you'll read the follow-up conversation on BUGTRAQ (link posted above), you'll note that Eterm 0.9.2 is NOT vulnerable to the screen dump problem. I was also unable to create a scenario where the title bug could be exploited in such a way as to hide the command line that was imbedded in there, so the user would have to blindly hit Enter with a complete command line for the exploit sitting there. Only a severely ignorant user would do that.

        You should also read about *why* Mr. Moore gave Eterm the "most vulnerable" award. The only reason he gave which hasn't been fixed for almost 2 years now was the quality and thoroughness of my documentation. :-)

    • CORRECTION to terminal emulators not susceptible (Score:5, Informative)

      by chongo ( 113839 ) on Saturday March 01, 2003 @07:42PM (#5415636) Homepage Journal
      Sorry .. I made a BAD cut and paste on my original posting! SORRY!!!

      The following terminal emulators were found, according to the article, to NOT be susceptible to screen dump or window title attacks:

      • aterm: 0.42
      • konsole: 3.1.0 rc5
      • gnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly]
      • SecureCRT: 3.4.6
      • aterm: 0.42

      Some asked about my Perl filter for tailing log files.

      Sans typos, here is an example that removes certain types of messages and fields, checks the file every 60 seconds, picks up trailing on the new file when the log file gets rotated (moved away), trims to 224 characters and replaces unusual chars with ~'s (assuming you use ASCII).

      /usr/bin/tail --retry --follow=name --max-unchanged-stats=60 /var/www/logs/access_log |

      /usr/bin/perl -ne '
      $line = $_;
      chomp $line;
      next if $line =~ m{... some regexp you want to ignore ...};
      next if $line =~ m{... etc ...};
      $line =~ s/... some field you want to ignore ...//;
      $line =~ s/... some common phrase you want to ignore ...//;
      $line =~ s/^(.{1,224}).*$/$1/;
      $line =~ s/\t / /g;
      $line =~ s/[^ -~]/~/g;
      print "$line\n";'

      As they say in perl, there is more than one way to do it. The above code fragment is just to give you the general idea.

    • I'm using konsole 1.2 in kde 3.1, is that affected?
  • OK, so the exploit descriptions seem real and interesting enough, but what was the point of such an over-the-top
    "Fictitious Case Study"?

    Reading that drivel about Andre and his l33t hax0r buddies totally removed the credibility the rest of the article had achieved!
    • The idea is probably to give a scenario so those weak on imagination have something to use to show their boss to explain why they should spend time on this issue.
    • Actually, I found the fictitious case study good because it highlights a practical scenario in which the escape codes were used to hack into another machine. It was relatively believable, except possibly for the convenient set of circumstances in which the hacker discovered information on remote computers.

      I definitely thought it was a good addition to the report, though.

      dave

  • Reinventing (Score:5, Funny)

    by Sarcazmo ( 555312 ) on Saturday March 01, 2003 @06:52PM (#5415381)
    So they discovered ANSI bombs over again.

    Simple! Just tell Linux not to load ANSI.SYS, problem solved!

    • Also known as the "ANSI standard trojan horse." (Score:5, Interesting)

      by Ungrounded Lightning ( 62228 ) on Saturday March 01, 2003 @07:08PM (#5415477) Journal
      So they discovered ANSI bombs over again.

      Looks like it.

      I recall the "ANSI Standard Trojan Horse" (though it was misnamed). It became quite common after ANSI standardized a cross between the VT100 and Ann Arbor Terminals escape sequences.

      Simplest form was to send a "talk" mesage to a root user containing an escape sequence that programmed a hotkey with your command-to-be-run-as-root and then "hit the key" by remote control. (You could even bury it invisibly in an otherwise innocuous-looking message.)

      ANCIENT stuff. What-early '70s?

    • Re:Reinventing (Score:3, Funny)

      by xchino ( 591175 )
      Those were fun... remapping all keys to delete fun files, and then mapping the backspace key as enter :)

      Worked quite often...
    • Yep, the new security guys love to refind whats already out there. In this case, most likly out there in google groups' archive.

      One thing they forgot about was the enter key mapping which can be loads of fun as well as the function key mapping. Most of the v100ish things will allow you to reprogram the enter key to any 4 character sequence (4 nulls is fun) but many of the people who copied the spec, didn't bother with the 4 character limit.

    • The more things change... 1979 version (Score:5, Interesting)

      by billstewart ( 78916 ) on Saturday March 01, 2003 @11:08PM (#5416523) Journal
      "Hackers At Berkeley Find Security Hole in the Unix, a computer made by DEC". From the Oakland Tribune or some other Bay Area paper in spring 1979. Not an exact quote, but they did say the Unix was a computer made by DEC.

      A long long time ago, on a uucp-net far, far, away, we didn't use terminal emulators, we used real hardware terminals. Most of them didn't run ANSI (I don't remember if the ANSI terminal standards were defined yet, but they looked very much like a DEC VT-100 terminal), but that meant there were lots of types of terminals, all trying to achieve market differentiation by having cool features or small size or large screens or cool plastic cases. Lots of different cool features means lots of vulnerabilities. The hackers in question had REDISCOVERED AN OLD TECHNIQUE - they found ways to hand escape sequences to VT100 terminals that would get the terminal to send arbitrary text back to the computer, which in those good old command-line days meant they could do anything they wanted. All you needed to do was email somebody a message with carefully crafted character strings in it, or use the talk program to write them to their terminal (back when everybody left their ttys writeable so talk would work.) Some of the popular techniques were to abuse programmable function keys (send a sequence to put some string in F1, then another sequence to auto-trigger the F1 key), or automatic whoami-responders (VT100 had one of these), or put the terminal into loopback testing mode (letting you type anything you want.)

      The Hewlett-Packard HP2621 and its relatives had two easy things to do, which didn't let you send arbitrary characters but still hosed the user - one did a reboot on the terminal (and thereby dropped the connection), while the other put it into test pattern mode (sending a long string of UUUUUU to the computer.) There may have also been some block-mode things that let you send arbitrary characters to the computer, but these two were the easiest and best-documented. A couple years later, when I was a newbie learning Unix programming and security at Bell Labs, and Robert Morris Senior (father of RTM the Worm Author) was a department head for computer security (before he went to NSA), we'd had a discussion about some techniques I was trying (which he cracked through personally :-), and a few days later, when I'd patched those holes, I was playing rogue in the evening, and one of his people talked the test pattern sequence at me. For a few seconds, I though Umber Hulks were suddenly going to eat my character, but then realized I'd been hacked, and it was one of RTM's people following up on what I'd patched and what I hadn't...

      Terminology note on "hacker" as opposed to "cracker" or "vandal" - The folks at Berkeley really were hacking - tinkering with things to find their limits - and while they could potentially use their knowledge for evil, they instead told people about it, which reminded lots of us to check for potential security holes in our systems.

  • Another day, another vulnerability. These exploits are getting more bizzare and more useless every day. The risk factor here is ridiculously low.

    I don't want to here about anymore useless exploits or no risk vulnerabilities. If you really want my window title, I'll telll you what it is; Getting Hacked Through Your Terminal - Konqueror

    Now, when someone gets an exploit to replace the Slashdot ads with Goatse, then I'll be impressed.
    • If you really want my window title

      You got it all wrong. Nobody wants to know what your window title is. However somebody wants to decide what your window title is going to become, and later they are going to have your shell execute that as if it were a command.
    • This is hardly useless or risk-free. It would be quite easy to create a worm to pump arbitrary escape/binary code into syslogs and apache error logs around the world.

      If you had read the article the author gave quite a convincing hack sequence.
    • >I don't want to here about anymore useless exploits or no risk vulnerabilities. If you really want my window title, I'll telll you what it is; Getting Hacked Through Your Terminal - Konqueror

      Aha, he's running Konqueror, hence kde *searches for kde-exploits on scriptkiddieheaven.com*

      Mohahaha *rubbing his hands with a evil grin on his lips*

  • Fuzzy memory (Score:4, Interesting)

    by maelstrom ( 638 ) on Saturday March 01, 2003 @06:55PM (#5415400) Homepage Journal
    Been a long time, but I seem to recall that many popular bulletin board systems used special ANSI characters as control codes in the menus and such. The purpose was to allow the sysop the ability to dynamically add the current date, or who was online, etc. Basically server side includes for the BBS.


    However, certan software would allow an attacker to insert these control codes anywhere, and not just interpret them from the menus.


    Imagine the hilarity that insues once the attacker figures out the embed sequence for the drop to DOS feature. :)

    • Re:Fuzzy memory (Score:3, Informative)

      by zztzed ( 279 )
      Wow, your memory really is fuzzy... either that or you used incredibly badly-written BBS software.

      No BBS program I ever used (most of my experience is with TriBBS and RemoteAccess, but I also dabbled with Renegade and various Renegade-alikes) would parse the dynamic-content codes outside of files that would actually be displayed by the BBS. My memory's a bit fuzzy as well, so there might have been a few exceptions that I don't explicitly recall, such as allowing users with high enough access levels (e.g., sysops) to use them in messages, or allowing them in certain message bases, but under normal circumstances no one but the sysop would be allowed to use them and even then only in very limited circumstances.

      Similarly, no BBS program I ever used had a "drop to DOS" sequence that could be embedded in a display file. Of course there was a menu command that would do it, but a) menus and the ANSI files displayed when users accessed them were always separate and b) the drop to DOS command would have to be explicitly defined in whatever menu for anyone to actually use it, and only insane sysops would allow a regular user access to it.

      • Re:Fuzzy memory (Score:3, Informative)

        by maelstrom ( 638 )
        Could be, most of my experience as a Sysop was with RemoteAccess 2.02, Frontdoor 2.12, and various Renegade and WWIV boards.

        And yes, it would be incredibly poor programming practice to have a code path that would allow a user to exploit this. But, consider that many boards had some kind of dynamic headers which would display on top of the regular menus or message boards.

        So it could have been possible such that a user could embed a sequence in a forum message and then upon display the stupid software loads the header from disk, appends the part it has to display and then parses it for command sequences and finally displays it.

        Perhaps I'm only remembering somone claiming this was possible, I never tried to exploit any BBS, I was on the other side trying to keep myself up to date so these things couldn't happen to me. Either way, it was a blast being a Sysop and its good to see I'm not the only one on Slashdot that got a start there :)

  • This isn't a big problem. (Score:3, Funny)

    by Dthoma ( 593797 ) on Saturday March 01, 2003 @06:58PM (#5415420) Journal
    Someone has to be using a terminal for someone to be able to do this to them. Is it just me, or is the solution really obvious? Just chmod every thing with a command line to 000! That should keep those naughty, naughty crackers out!

  • Mac OSX (Score:2, Interesting)

    by fafaforza ( 248976 )
    Apparently the OSX terminal might be susceptible to this. It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

    It would be interesting to see whether actual commands can be executed if tailing /var/log/messages, but I won't be the one to find out as my PowerBook is in the shop...

    • Re:Mac OSX (Score:3, Interesting)

      by scrod ( 136965 )
      The OS X Terminal doesn't seem to be vulnerable. I just tried it.

    • Re:Mac OSX (Score:4, Funny)

      by Waffle Iron ( 339739 ) on Saturday March 01, 2003 @10:52PM (#5416435)
      It is possible to alias different escape sequences to commands like lm and ll to make the terminal full screen, send it to the background, make it tall, etc.

      The bad news: Evil black hat hackers can use remote exploits to move the OSX terminal around the screen.

      The good news: With the velvet smooth animated motion, harmonizing colors, translucent effects and drop shadows, being 0wned has never looked better!

  • BBS ANSI Bombs (Score:5, Interesting)

    by Leeji ( 521631 ) <`slashdot' `at' `leeholmes.com'> on Saturday March 01, 2003 @07:01PM (#5415438) Homepage

    Back in the day, "Ansi Bombs" were considered an art form. With the art scene so active, you could usually embed some evil escape string in a good looking graphic and know that you were going to get people.

    The problem was DOS' overly-powerful ANSI.SYS interpreter. It let you remap any key to an arbitrary set of keys, making keyboard macros pretty easy. However, it also let evildoers remap "Space" to, for example, "del *.*, enter, y, enter." Luckily, there were third party ANSI interpreters that didn't suffer this vulnerability.

    One time, when I was about to reformat my HD, I even wrote an ANSI bomb to do it. Crazy stuff. There's an interesting (and of course, old) paper about it here. [textfiles.com]

    • Re:BBS ANSI Bombs (Score:2, Informative)

      by rjamestaylor ( 117847 )
      Speaking of the BBS days, when using my Mac Classic and the terminal software of the day (the name of which I forget) whenever the string
      NO CARRIER+++ was displayed beginning in position 0 (left to right) the modem connection dropped. I made the mistake of sharing this newfound knowledge with my friends who proceeded to disconnect me at every possible opportunity. Of course, today I could have them arrested under the anti-terrorism laws for their purposeful denial of service attack. Hmmm...is the law retroactive??
      • I remember users of my BBS and MUD's that'd do that to each other. None of the term programs I used was ever affected but it was pretty sloppy coding not to think of people doing that. On the other hand you rarely see much done with term programs these days. Back then you'd frequently create fairly impressive interactive programs. It's just not something you see much any more. My favorite was when RIPTerm came out. I actually had some RIPTerm-based websites that'd only work if you were using a text-based web browser (like Lynx) and the RIPTerm client. Was sort of fun and predated Flash by quite some time. :)

  • Uhm, no... (Score:3, Informative)

    by loucura! ( 247834 ) on Saturday March 01, 2003 @07:08PM (#5415472)
    If you had read the article, rather than just glancing through it... those were the terminal emulators he used.

    Eterm was affected, Putty, Xterm, and Rxvt.
  • Most terminals released in the last few months aren't afflicted by this, particularly the most common. You have to be running a terminal to get hacked like this. You need some pretty contrived circumstances to get hacked like this; your average opportunistic script kiddie won't be able to use this trick too easily on strangers. Besides, couldn't you just set up a cron job to pipe all the logs through strings?

    • Dear Sir, (Score:1)

      by Anonymous Coward
      I have checked your journal, and there are no links to porn sites. Please rectify this immediately.

      Thank you,
      Anonymous Coward

  • Thread (Score:5, Informative)

    by taviso ( 566920 ) on Saturday March 01, 2003 @07:25PM (#5415555) Homepage
    The author went on to have an interesting converstaion with Micahel Jennings, author of Eterm [eterm.org] on Bugtraq here [securityfocus.com].

    • Re:Thread (Score:3, Interesting)

      by Bronster ( 13157 )
      I'm very impressed with the intelligent and humble discussion that is in that thread. They really are both trying to work out how to avoid the problem without breaking applications, rather than blamestorming or pretending it's not an issue.

      Michael Jenning's comments that he's not an expert on security, but does try his best show a real sense of humour and concern for his users.

      Ok, so I'm being a bit of a fanboy, but most links to discussions between open-source developers I see these days are the fights they have (on the very public mailing lists where we can see them). We tend to forget the good work they do the rest of the time.

      (raises hat, or would if I was wearing one) ... and glad I use konsole, at least until a bug is found there ;)

      • Re:Thread (Score:2, Interesting)

        by KainX ( 13349 )
        Thanks. :)

        I started out my life on Unix as a sysadmin, and I always found it distasteful how software developers would get all pissed off at the people who reported the vulnerabilities, as if they were somehow to blame for the author's own screw-ups.

        The bottom line is simply that the person who wrote the code is responsible for their own mistakes. That's really where the buck stops.

        In the end, all that really matters is that things get fixed as quickly and correctly as possible for the sake of the users. Ego-sparring and public feuds accomplish nothing and are ultimately counterproductive.

  • Tailing logs... (Score:5, Informative)

    by Urchlay ( 518024 ) on Saturday March 01, 2003 @07:49PM (#5415671)
    The paper mentions injecting escape sequences into log files which are being tail -f'ed... and that there's nothing new about terminal exploits.

    When I first heard about this (a couple of years back) I started using less +F for tailing logs. less will convert the escape character into the token ESC (in bold or inverse video), avoiding any escape-sequence exploits.. and also adds the benefits of being able to scroll back and search, which would make it worth using even if there were no such thing as a terminal exploit.

    If you're going to leave it running for a long time, you might want to also look into the -b and -B options, to limit the amount of buffer space it will allocate: something like `less -b1024 -B +F /var/log/apache/common.log' would limit less to 1024K (1M) of buffer, which means old data will eventually be discarded, but keeps less from malloc'ing all your core. As always, Read The Fine Manual for details :)

    I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

    Hope this helps someone...
    • Yes, it does.

      Thanks.
      --RJ

    • Re:Tailing logs... (Score:4, Informative)

      by sfe_software ( 220870 ) on Sunday March 02, 2003 @01:34AM (#5417156) Homepage
      I just checked: the `more' command on my Linux and Solaris boxen seems to pass escape sequences through, so you really do want `less' (or alias less=more, if you're used to typing `some_command|more'), not to mention `more' has no equivalent to `less +F' or `tail -f'.

      Actually that should be:

      alias more=less

      But otherwise, very helpful. I'd always been in the habit of using 'tail -f', even as root -- and personally I'll be using 'less +F' from now on.

  • Unstable xterm (Score:3, Interesting)

    by kasperd ( 592156 ) on Saturday March 01, 2003 @08:18PM (#5415799) Homepage Journal
    Some years ago I managed to make an xterm dump core simply by typing the contents of a binary file, which did not contain any malicious data, it just be coincidence contained a byte sequence that would cause xterm to dump core. Investigating this I found, that some sequence of 24 bytes was responsible. But if I made the xterm window larger, it would not crash from this sequence, however it turned out the original file contained another longer sequence that could also make a larger xterm dump core. I never actually understood exactly what was going on, but I found that later xterm versions does not crash from the sequences I saved from back then.

    • Re:Unstable xterm (Score:5, Interesting)

      by NewWazoo ( 2508 ) <bkmatt AT gmail DOT com> on Saturday March 01, 2003 @09:06PM (#5416001) Homepage
      I'm feeling artistic, so I'll write.

      This, in a nutshell, is why you'll never be a Great Hacker. I'm most likely projecting my own insecurities upon you, but I'm writing and you're not, so there.

      I tend to notice little things like you noticed - that catting a binary file will crash my terminal. And then in a fit of boredom, I might even do as you've done and start trimming away sections of the file to find the offending string. I might even write a one-liner that will parse through it for me, automating what would otherwise be a tedious task. I'll eventually end up with a file that is 23 bytes long, and when catted, crashes the terminal.

      But I won't ever find out why. That file will remain a curiosity in my $HOME/misc/, to be pondered at until I find that it no longer crashes whatever terminal program I'm using. It might even remain for a while, until one day I have a directory purging session and delete it, wondering "What the hell is this?".

      And that, in my opinion, is what separates Great Hackers from the myriad of wannabes. I'm definitely a wannabe. I'm proficient at everything I do, but I'll never spend the (quite possibly small number of) hours actually finding out why that string crashes xterm, and maybe doing something useful with it. The rewards are definitely there, and I've tasted their sweetness in flashes of inspiration, but I just don't have it.

      What is it? I don't know. I don't suspect that I ever will, in this particular field. I think that I might just have it in another field (racing cars), but I think it's likely that I'll be Just Proficient at that, too, much as I have been at most everything for my whole life. And that's a pretty depressing thought.

      Great Hackers have it, I think. They must. In fact, part of me wants to disbelieve that it exists; that if I'd just push myself a little bit harder, that if I'd just concentrate a little more, that if I would simultaneously dig deeper into and maintain a broader view/mindset of whatever it is that I'm doing, that suddenly I'd become a Great Hacker. I'd know the formula of self-motivation, and from then on it'd be easy. But it just doesn't seem to work that way - I read the exploits of Great Hackers, and marvel at how they do their work, just knowing that I could never do that! Knowing that given the same set of curiosities, my interest or drive or whatever would sputter out, and at best I'd end up with something nifty, that I might be able to make use of in my next bout of Adequate Hacking.

      I'm sitting here thinking that I want to type some sort of sage-like advice to you (whoever you are) about forcing yourself to go the extra mile, or don't be lazy, or to eat your Wheaties before you start hacking. Fact is, I know that I've missed the opportunity to grab it. I also know that I've no clue what I did "wrong", and wouldn't know what to do differently, even could I go back in time and change something. I wish that I could have it, but I know that I never will.

      I'm still pretty young (19)... maybe I'll figure out how to grab it between here and there.

      • >And that, in my opinion, is what separates Great Hackers from the myriad of
        >wannabes. I'm definitely a wannabe.

        No, sir. YOu are not a wannabe. Go check out usenet:alt.hacking.* and look for
        "Hotmail Hax0rz", "Warez", "Mail haxorz", "DOS", and other usual keywords
        associated to 'have-no-clue-but-must-impress-my-friends' wanabees. If you have a
        clue, you're already out of that category.

        >I'm proficient at everything I do, but I'll never spend the (quite possibly small
        >number of) hours actually finding out why that string crashes xterm, and maybe
        >doing something useful with it. The rewards are definitely there,

        The big key there is "why". That's what gives master hackers their edge. The
        thirst of knowledge hanging just above their head, waiting to be plucked. But
        how do you pluck it? Do you just rush to it, squishing it in your hands, licking
        the residue from your palm? No.. you cherish and understand it. But you don't
        give up. If that means asking for help from somebody more learned in that
        area... Anything to solve that problem.

        >and I've tasted
        >their sweetness in flashes of inspiration, but I just don't have it.

        But you've never tasted the sweetness of power sitting at a console with remote
        root, gotten accidently by noticing and exploiting a 'weird bug'?

        >What is it? I don't know. I don't suspect that I ever will, in this particular
        >field. I think that I might just have it in another field (racing cars), but I
        >think it's likely that I'll be Just Proficient at that, too, much as I have
        >been at most everything for my whole life. And that's a pretty depressing
        >thought.

        Oh, is it? Look at your skills as a stat with a library of different happenings.
        Who else here, let alone else in the world has your exact skill set and
        memories? Nobody.

        And so what, you'll be 'just proficient' in computing. That's way above the
        average. Many people have a hard time of understanding "double click" or basic
        computer terms. Put together and exploit what you do know and become an expert
        in your field of knowledge. That'll get you respect, and access to more
        information.
      • The Great Hacker (later read: me) would dig up docs on VT10x escape sequence interpretation. Then I would look to see what that trimmed down file translates to in terms of screen manipulation code.

        I would think to myself, does that series of actions even make sense? It probably wouldn't (seeing as it tends to crash xterm).

        The next thing would be to trim the sequence down to just escape codes (removing any printable characters in the sequence), and see if still dumps core. If not, its probably due to a simple segfault (whether writing character or blitting a bitmapped font in an invalid buffer).

        Then try removing an escape code or chaning a parameter. Does it still dump core? Are there ranges of values for each escape code that cause the behavior?

        Finally, you'd grab the source code and see if the are any obvious flaws. Does the emulator load a parameter and then cast it into a signed value? Then does it not check to see if it was negative? etc.

        All those steps (which I've never done nor considered before your post) would be my plan to handle and investigate the situation.

        I think what it requires to be a Good Hacker, therefore, is a sick motivation to get to the bottom of things, no matter how painful or time consuming the excercise. The steps I outlined above could easily take 15 hrs. to adequately address. Are the potential results worth that time? To a great hacker, who relishes such experiences, yes they are, even if she cannot pinpoint the problem or fix it.

        There was nothing that you did wrong. I think maybe you didn't really want to be one. Great hackers do not just have fits of ingenuity and shit. They just hack at things until it becomes clear. It's time consuming, tiring, and often thankless. But over time, you get to have a certain knack for relating new problems to old ones, and it becomes easier.

        Nothing says you can't start now either. Go for it!

      • Great Hackers (Score:3, Interesting)

        by Hubert_Shrump ( 256081 )
        Larry Wall's famous quote says Great Hacker virtues include Laziness, Impatience, and Hubris.

        I would agree, and say that a Great Hacker would locate those killer ctrl codes, get a boatload of diagnostic information together, and hand all that over to the maintainer of the terminal program and then not sweat trying to figure it out themselves.

        Let someone that knows the code, and might be better able to divine what's up have a wonk at it. You could even check the diffs if it ever gets patched, and you were curious and had time to kill.

        Then, the Great Hacker would go and patch their own project to fix up the newest incoming bug report.

        Then, the Great Hacker would rest and eat of the Divine Pizza.

        And all would profit.

        • Damn :/

          That's what I was trying to say, but shorter, and included the specifc Larry Wall reference I was thinking when I wrote my reply.

          That will teach me to post a followup before reading the already posted replies. <autolart>
      • I think that's nonsense.

        I'm certainly not professing to be a great hacker, and I don't think people in that category would use that term to desribe themselves.

        However...

        Not bothering to spend the time working out why a given string crashes an xterm does not mean you are not a great hacker, let alone that you will never be one.

        All it means is there was something else you would rather do instead. Which is not a bad thing.

        Obviously, you can't fix every software bug in the world on your own - and clearly the best way to deal with them is not to try and fix them all personally, so another approach is needed.

        To put it another way:

        If everybody spent time trying to fix obscure bugs in other people's code while still trying to write their own software, all development would grind to a halt - developers would spend loads of time pouring over and trying to understand documentation for libraries and API's and going line by line through other people's, very possibly krufty, code - instead of spending time working on solving their own bugs.

        If I found such a bug, I'd be likely to contact the author informing him (and provding some details as to why), and go back to fixing *my* bugs.

        Although it's no bad thing to debug and fix bugs in other poeple's code if you have some free time and no projects of your own, it's simply far more logical and efficent to spend time fixing your own bugs.

        PS: FWIW, IMHO, 'it' is simply equal lashings of time and effort and a dollop of hubris to taste, served on a bed of sufficent basic intelligence. The 'time' and 'effort' ingredients being the hardest to come across.
    • Well, I'm using xterm 4.2.0. (165), and it occasionally dumps core on some binary files I try to "cat" (by accident of course). Don't ask me which files, and what they contain. I really never gave it much thought.

  • tail -f log | cat -v (Score:5, Informative)

    by e40 ( 448424 ) on Saturday March 01, 2003 @08:50PM (#5415936) Journal
    will take care of the tail of a log file problem...

  • In the article, especially in the 'Fictitious Case Study', the author makes quite a lot of snide (although funny) remarks about Enlightenment.

    By the way, I am not an Enlightenment user, so don't think that is why posted this.

    For instance...

    ...Jim has a new 2.5Ghz P4 and finally has enough processing power to run the Enlightenment window manager...

    ...or...

    ...Andre finally manages to get Eterm and its 60 megabytes [
    sic] of support libraries compiled....

    Thank you.

    GrimReality
    2003-03-02 01:27:02 UTC (2003-03-01 20:27:02 EST)

  • How many of us happen to put pictures of our terminal windows up on our websites?

    • How many of us happen to put pictures of our terminal windows up on our websites?

      Gee, I wonder how many desktop themes I've looked at that say "Look how great a terminal window looks in this them!". I know for a fact that MPlayerhq has terminal windows in some screenshots.

      Hm, I wonder how many of us don't put pictures of our terminal windows up on our websites? That's probly a smaller number than the one you're looking for....

  • "write"? (Score:3, Informative)

    by kris ( 824 ) <kris-slashdot@koehntopp.de> on Sunday March 02, 2003 @04:36AM (#5417598) Homepage
    You do have "mesg n" set, do you?

    If not, you are attachable by "write " as well.

    And yes, this is very, very old. Many an administrators open terminals have been taken remotely using this when I was at university.

    Kristian
  • tail -f /var/spool/foo/logfile | cat -uv

    Something any smart sysadmin would do, anyway, to display just exactly what was showing up in the log.

  • Doesn't have to be a tail or log file. (Score:3, Interesting)

    by TheLink ( 130905 ) on Sunday March 02, 2003 @05:20AM (#5417735) Journal
    Some programs or setups spit stuff out to the console - warnings, error messages etc.

    I remember doing something similar when testing my company's TIS FWTK setup years ago. When you used an address with unbalanced brackets, sendmail when called by smapd will grumble to the console. As a test I sent an email with a ESC sequence setting the foreground colour to black and it worked. Wasn't too surprised. Wasn't able to find an exploit for the console term at that time, and no one abused it (security through obscurity).

    Later I switched to using qmail (IIRC qmail 1.0.3 dates to 1998, the TIS FWTK has been around for quite some time). Just to test things out I also recently wrote an smtp proxy to enforce state and filter out stuff(qmail may be robust, but it tends to pass the junk unfiltered to other stuff which may be less robust).

    Some O/Ses send a many kinds of messages to the console too.

  • Forget about emulators, just hack real terminals (Score:4, Informative)

    by iamacat ( 583406 ) on Sunday March 02, 2003 @06:21AM (#5417854)
    VT220s in my school lab used to have a feature that you can send them ACK character and they'll reply with a string configured in the terminal menu. I used to reprogram the string to do some UNIX commands and then put ^E in my .plan - back in the days when people used finger as a web browser. Also, you could just write a simple shell script that simulated the login sequence and leave it running without logging out. On older UNIX systems, this worked even over dialup if your shell script ignored SIGHUP.

    But the later option was too risky for my taste, because the "login" process was owned by you. So instead, I wrote a doomsday shell script. It gave you a # prompt to make you believe you are running as root. It then emulated various UNIX commands. For example "jobs" showed [1] rm -rf / & and "kill" returned "Permission denied". It logged all the commands and responses to an obscure file in my home directory. Once I got our semi-knowlegable system administrator's assistant to "interact" with this script and it was quite fun reading him using kill 10 times in a row with the same arguments. She really thought the filesystem was going south.

    Terrible abuse that can be inflicted on X terminals or public lab PCs with terminal emulators is left to the imagination of the reader.

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close