1;2c after using cat or more on binary files

Oxagast · 11-27-2009, 10:34 AM

I noticed that if you use the hex 05 in a file and cat or more the file you can get bash to say 1;2c.

Code:

oxagast@likon ~/code $ cat fmore
^[[?1;2coxagast@likon ~/code $ 1;2c
bash: 1: command not found
bash: 2c: command not found
oxagast@likon ~/code $ hexdump fmore
0000000 0005                                   
0000001
oxagast@likon ~/code $

I was just interested in why it does this and if it's a security bug, considering most people, when using more, will press the return key until the files over, so you could craft a file that looks normal and wait until they get to the end and if an executable file 1 or 2c is in the path (or if you could possibly change what those values are) it would execute them once it drops back to bash. The fmore file does not have to be set to executable or anything.

Thanks,
oxagast

unSpawn · 11-28-2009, 02:54 AM

It's in the way non-printing or control characters and escape sequences are interpreted. Abusing that can still fool some applications or log parsers so using precautions something like 'noexec less -dRUX /path/logfilename' or 'cat -v /path/filename|col -x' or using 'strings -an1|less' to read things make sense if you think you're onto something. Dropping files in (the '.' portion of the) $PATH is an ancient trick to make people execute things. Abusing it AFAIK hinges on having the required access rights to drop files in path items (meaning that if root does that you've got problems of a different magnitude) and sane path settings (e.g. the root account shouldn't have or need '.' in its path and certainly not as the first item or risk asking for trouble).

Oxagast · 11-28-2009, 09:48 AM

Thank you, that was helpful and interesting.