The exploit works like this: 1) Attacker sends HTTP request with ANSI escape sequence embedded in URL 2) Escape sequence is logged to access log. 3) Administrator on web server views log via cat, tail, etc.' 4) Escape sequences are interpreted by terminal emulator.
In the case of extremely braindead terminal emulators, this can result in arbitrary command execution. The example in the SecurityFocus link sends an escape sequence which changes the window title in most common terminal emulators. A more comprehensive overview of terminal emulator security issues is available here: http://marc.info/?l=bugtraq&m=104612710031920 Some subtle (?) points: 1) The "remote" exploit actually occurs on the host running the terminal emulator, not the web server. 2) Most terminal emulators do not support arbitrary command execution via escape sequences. -Andrew On Thu, Sep 9, 2010 at 9:47 AM, Jade Rubick <[email protected]> wrote: > Did I read this correctly: this is a remotely exploitable? > > Jade > > * > Jade Rubick *|* *Director of Development | *TRU**i**ST* > 2201 Wisconsin Ave NW, Suite 250 | Washington, DC 20007 | *www.truist.com* | > +1 202 903 2564 > > P Please consider the environment before printing > > The information contained in this email/document is confidential and may be > legally privileged. Access to this email/document by anyone other than the > intended recipient(s) is unauthorized. If you are not an intended recipient, > any disclosure, copying, distribution, or any action taken or omitted to be > taken in reliance to it, is prohibited. > > > > > > On Sep 9, 2010, at 5:41 AM, Dossy Shiobara wrote: > > As a short-term solution, this is probably adequate, but there's > information loss -- it'd be nice to indicate the original byte sequence > somehow in the log entry by escaping characters so that log analysis > tools could detect such attacks, etc. > > Perhaps the right answer is to log the URI with proper URL-encoding, so > that it would be logged as %1B instead of the literal byte. > > > On 9/9/10 8:18 AM, Gustaf Neumann wrote: > > > i have just now committed a quick fix for the problem into the > > aolserver/nslog/nslog.c > > into the sourceforge module. please check, if this is in all cases > > sufficient. > > > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to < > [email protected]> with the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the > Subject: field of your email blank. > > > > -- > AOLserver - http://www.aolserver.com/ > > > To Remove yourself from this list, simply send an email to > <[email protected]> with the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: > field of your email blank. > > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[email protected]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
