Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A terminal emulator is a computer program that mimics a video terminal with access to the local or remote host. The emulator allows for seeing the output from the program or running commands on the box. Obviously, if you can trick the parsing of the program, you can execute arbitrary commands on the machine. Interesting attack vector!

ANSI escape sequences are a standard for in-band signaling to control cursor location, color, font styling, and other options on video text terminals. Normally, it starts with an escape character, such as ESC (0x1B in hex) followed by a set of arguments. From reading CVEs from 2003, they noticed that modifying the title via the escape sequence could be executed later since the .bashrc file loads the title every time you press enter.

From these previous CVEs, the author learned a bunch. In CVE-2015-8971, a newline was not filtered in Terminology 0.7.0 when changing the window title. As a result, it allowed an attacker to modify the window title and then re-insert it into the terminal’s input buffer, resulting in arbitrary terminal input (which is code execution).

After trying to find new bugs in the terminals, the author wrote a quick bash script into the terminal: perl -e 'while(1){print "\e]0;pwn\a"};'. This constantly set the name of the title, which caused the computer to crash. They reproduced this on browsers, terminals and many other things. Apparently, setting the title of a terminal can lead to a DoS!

The Kubernetes and Openshift name does not escape ANSI escape characters. Since this is the case, an attacker could add ANSI escape characters that will change the terminal window title, paint the terminal with whatever colors I choose, delete that display and so on. This does not allow for arbitrary code execution but the showing or removal of text is fascinating!

Most terminals have bracket paste mode. This is to protect against commands copied directly from the internet being ran automatically. To prevent these calls from happening, the beginning code has ESC [ 200 ~ appended to it and the ending has ESC [ 201 ~ added to the end. To bypass this feature, the author starts their copied text with ESC [ 201 ~. Now, when the actual escape occurs, we will end the escape to run our own code. Neat!

The authors found that MinTTY, XShell and ZOC were all affected by the vulnerability mentioned above. This post was a good introduction into ANSI escape characters and the damage they can cause if not handled properly.