How safe is it to cat an arbitrary file?
Solution 1
Whether such output can be exploited depends on the terminal program, and what that terminal does depending on escape codes that are being sent. I am not aware of terminal programs having such exploitable features, and the only problem now would be if there is an unknown buffer overflow or something like that, that could be exploited.
With some older hardware
terminals this could be a problem as you programmed e.g. function keys with these kind of escape sequences, by storing a command sequence for that key in the hardware. You would still need a physical key-press to activate that.
But there are always (as Hauke so righfully marked 'braindead') people willing to add such a feature if it solves a problem for them, not understanding the loophole they create. In my experience with open source software is that, because of the many eyes looking at the code, this is less likely to happen as with closed source. (I remember that in the mail program on Silicon Grahpics' Irix, in the mid ninetees, you could include commands to be executed on the receivers machine, real paths to executables, ....)
Solution 2
Most terminal emulators will send back some response, if they receive certain escape sequences (have a look at the xterm control sequences documentation). E.g., you can send \e[0c
to a VT100-like emulator and it will send back the device attributes,
something like \e[?1;2c
(This is probably what Keith observed.) But these answers are not arbitrary strings. Still, having an executable named 2c
somewhere on your system that does something fatal is a bad idea.
Update: The risks are in fact bigger than I thought, due to the possibility to set the title of an xterm window and to send back the title using appropriate escape sequences (http://www.securityfocus.com/bid/6940/). In contrast to the example above, the title can be an almost arbitrary string.
Solution 3
This changes the terminal title in GNOME Terminal 3.6.1, unless overridden by something like PS1:
printf "\033]2;Script Kiddie was here\007"
Now open a new GNOME Terminal window to test the cat
version:
printf "\033]2;Script Kiddie was here\007" > test.bin
cat test.bin
Yep, this also sets the terminal title.
There used to be a security issue with an escape code resulting in the title being printed to the command line, so you could effectively create a file, which when cat
ed would print (I'm not sure if you could put a newline in there) arbitrary commands. Ouch!
Solution 4
While using cat
might not result in code execution, escape codes will be processed so you could easily be misled into thinking the script is harmless when in fact it is malicious.
Here is an example command you can run which will create a "malicious" shell script:
echo -e '#!/bin/sh\necho "...doing something bad here..."\nexit\n\033[A\033[Aecho "Hello dear reader, I am just a harmless script, safe to run me!"' > demo.sh
chmod a+x demo.sh
When you inspect the file, it seems harmless enough:
$ cat demo.sh
#!/bin/sh
echo "Hello dear reader, I am just a harmless script, safe to run me!"
But should you actually run it...
$ ./demo.sh
...doing something bad here...
The script works by including raw escape codes to move the cursor up a couple of lines, so the rest of the script is written over the top of the malicious code, hiding it.
Nearly any other program will reveal the script for what it is. Only programs that don't process the file content (like cat
, more
and less -r
) will produce the misleading output.
Note that tail
and head
also produce the same misleading output. Using "less +F" is therefore safer than "tail -f".
Solution 5
I have definitely experienced xterm
inserting arbitrary characters into itself as if I had typed them. And on occasion this has apparently included newline character, so that I got ngwerm:0riu: command not found
as a response. I see no reason why someone could not craft a file that would send specific, harmful commands. So yes, at least some terminals are susceptible to attacks with arbitrary impact.
Related videos on Youtube
Gunchars
Updated on September 18, 2022Comments
-
Gunchars over 1 year
Sometimes when I
cat
a binary file by mistake, my terminal gets garbled up. Nothing a quickreset
can't fix, but couldn't an attacker theoretically create a file that, when displayed on a terminal, would execute some arbitrary code? Through an exploit in the terminal emulator or otherwise.-
Keith about 11 yearsSometimes when I do that my shell will say at the end "<garbage> unknown command". That makes me wonder if this is actually possible.
-
sunnysideup about 11 yearsThere were exploits for the terminal emulator, e.g. linuxsecurity.com/content/view/104657 or securityfocus.com/bid/6936/discuss so it is not necessary particular safe
-
Blrfl about 11 yearsThis is why it's better to use something that will balk at binary files (like
more
) or is terminal-aware (less
) to examine the contents of files. Not only will it not put your terminal in a weird state, the whole file won't go flying by in one shot. -
bot47 almost 8 years
mosh
documentation has some thoughts on that: mosh.mit.edu/#techinfo -
Gilles 'SO- stop being evil' over 7 years
-
mosvy about 4 years@ThorbjørnRavnAndersen No, it does not.
-
Admin about 2 yearsSee also superuser.com/q/1520750/59284.
-
-
Gunchars about 11 yearsThat's already cutting it very close.
-
user about 11 years"you could include commands to be executed on the receivers machine" You mean something like including in an email VBScript that calls out to the Windows Scripting Host? :)
-
Anthon about 11 yearsNo exactly, you could start an executable that was already on the machine, like playing a sound. I don't recall the exact syntax (that was almost 20 years ago) nor whether you could switch that 'feature' off in a setup. We had some fun though with auto-playing videos stored in our network.
-
Anthon about 11 years@luserdroog No this was the standard GUI based mail program under Irix
-
luser droog about 11 yearsOh, well. I'm a little obsessed with NeWS. :)
-
Baard Kopperud about 11 years@Anthon I'm not sure if it's still possible, but the possibility of using escape-codes to get a terminal to "repeat" text coming to it from the
write
command - thus executing commands/scripts as the user owning the terminal. It's supposedly the reason why many recommend turning off messagesmesg -n
for users most of the time, and forroot
always. AFAIK, this was actually done - though I don't know if it ever was exploited. So random text from acat
ted executable, could perhaps be executed. -
sendmoreinfo about 11 yearsThere's an even older feature -- 'answerback message', sent in response to ENQ (C-e) character. On a real VT100, it is set by the user in the terminal's SETUP menu; maybe there are terminal emulators that allow setting it remotely...
-
Jan Wikholm over 9 yearsrunning strings on an unknown file can also have problematic consequences. lcamtuf.blogspot.fi/2014/10/…
-
Charlie about 9 yearsThis is quite problematic... You can see what's actually going on by running
echo $(cat demo.sh)
,cat demo.sh | grep . --color=yes
(Note: the--color=yes
is what's showing the "malicious" code here) or the build-incat -v demo.sh
. -
Incnis Mrsi over 8 yearsTrue or false, it’s an answer for a different question: how trustworthy is
cat
in displaying the file’s content. -
slm over 8 years@IncnisMrsi - read the first sentence!!!!
-
Incnis Mrsi over 8 yearsOK, retracting my previous statement, The answer is short, using confusing terminology, unfounded, and evidently incomplete. Note that in security, “arbitrary” ≠ random as distributed in your favourite OS.
-
G-Man Says 'Reinstate Monica' about 4 years(1) You do realize that Hauke Laging’s answer has been deleted, so most people can’t see it, right? (2) Strictly speaking, Hauke said that the insecure feature was braindead, not the implementer.