1 00:00:00,000 --> 00:00:08,469 foreign 2 00:00:00,500 --> 00:00:08,469 [Music] 3 00:00:11,900 --> 00:00:19,260 now for this session we have David 4 00:00:16,020 --> 00:00:22,199 leadbeta and 5 00:00:19,260 --> 00:00:24,240 yes LED Peter thank you uh now his 6 00:00:22,199 --> 00:00:26,160 presentation is called the Houdini of 7 00:00:24,240 --> 00:00:29,160 the terminal and the need for escaping 8 00:00:26,160 --> 00:00:31,619 now David is an open source software 9 00:00:29,160 --> 00:00:34,440 engineer for G research which is a 10 00:00:31,619 --> 00:00:37,140 leading UK based quantitative research 11 00:00:34,440 --> 00:00:38,460 and Technology firm David is going to 12 00:00:37,140 --> 00:00:41,040 discuss a family of security 13 00:00:38,460 --> 00:00:42,780 vulnerabilities and Terminals and how to 14 00:00:41,040 --> 00:00:43,540 protect against them please welcome 15 00:00:42,780 --> 00:00:46,729 David 16 00:00:43,540 --> 00:00:46,729 [Applause] 17 00:00:47,520 --> 00:00:52,920 thank you I begin today by acknowledging 18 00:00:50,100 --> 00:00:54,840 the world warrant people of the culin 19 00:00:52,920 --> 00:00:56,340 nation traditional custodians of the 20 00:00:54,840 --> 00:00:58,379 land on which We Gather today 21 00:00:56,340 --> 00:01:00,719 and pay my respects to their Elders past 22 00:00:58,379 --> 00:01:02,579 and present and I extend that respect to 23 00:01:00,719 --> 00:01:05,460 all Aboriginal and Torres Straits 24 00:01:02,579 --> 00:01:08,700 Islander peoples here today 25 00:01:05,460 --> 00:01:10,920 so as the introduction said I'm David 26 00:01:08,700 --> 00:01:13,740 lebita from Geo research and I'm here to 27 00:01:10,920 --> 00:01:15,240 talk about terminals 28 00:01:13,740 --> 00:01:17,640 um I must have done things up there by 29 00:01:15,240 --> 00:01:20,100 the way if you want if you want details 30 00:01:17,640 --> 00:01:22,140 um I'll post some details about this 31 00:01:20,100 --> 00:01:24,479 later on there 32 00:01:22,140 --> 00:01:26,340 um so I've been a Linux user since about 33 00:01:24,479 --> 00:01:27,840 1998. 34 00:01:26,340 --> 00:01:29,400 um I started program with pearl For 35 00:01:27,840 --> 00:01:31,619 Better or Worse 36 00:01:29,400 --> 00:01:33,840 um I actually have some code in the core 37 00:01:31,619 --> 00:01:36,420 of pearl itself so I kind of took that 38 00:01:33,840 --> 00:01:39,299 to its extremes you could say 39 00:01:36,420 --> 00:01:41,640 um I'm a bit of an IRC fan a long time 40 00:01:39,299 --> 00:01:43,380 ago I wrote something called cgirc which 41 00:01:41,640 --> 00:01:45,540 you may have heard of it's a web-based 42 00:01:43,380 --> 00:01:46,880 IRC client that was quite popular at one 43 00:01:45,540 --> 00:01:49,560 point 44 00:01:46,880 --> 00:01:52,799 these days I mostly write go and work on 45 00:01:49,560 --> 00:01:54,600 kind of cloud-based things with a sort 46 00:01:52,799 --> 00:01:56,220 of side helping of security which is 47 00:01:54,600 --> 00:01:58,680 part of the reason I'm here and one of 48 00:01:56,220 --> 00:02:00,740 the things I'm here to talk about 49 00:01:58,680 --> 00:02:03,360 um so I'm here to talk about terminals 50 00:02:00,740 --> 00:02:05,520 this is a terminal 51 00:02:03,360 --> 00:02:08,459 um I suspect some of you might have been 52 00:02:05,520 --> 00:02:10,619 through one of these recently or even on 53 00:02:08,459 --> 00:02:13,560 the way here this is a particular 54 00:02:10,619 --> 00:02:15,660 Airport terminal it's TWA flight center 55 00:02:13,560 --> 00:02:17,340 at John F Kennedy Airport in New York 56 00:02:15,660 --> 00:02:19,200 City 57 00:02:17,340 --> 00:02:21,180 um now this this is an interesting one 58 00:02:19,200 --> 00:02:22,379 uh as you can see it's got quite an art 59 00:02:21,180 --> 00:02:24,000 deco design 60 00:02:22,379 --> 00:02:26,099 um possibly not Art Deco a bit later 61 00:02:24,000 --> 00:02:27,660 than that I mean anyway it was built in 62 00:02:26,099 --> 00:02:30,120 the 1960s 63 00:02:27,660 --> 00:02:32,040 and 64 00:02:30,120 --> 00:02:34,140 it's actually a hotel now if you look 65 00:02:32,040 --> 00:02:35,760 closely I don't know how visible this is 66 00:02:34,140 --> 00:02:37,080 on the screen but there's someone 67 00:02:35,760 --> 00:02:38,340 holding him I've got a phone just over 68 00:02:37,080 --> 00:02:40,379 there 69 00:02:38,340 --> 00:02:41,940 um so anyway it's an airport hotel now 70 00:02:40,379 --> 00:02:43,680 and it's actually quite a nice place to 71 00:02:41,940 --> 00:02:45,660 go if you happen to be able to travel 72 00:02:43,680 --> 00:02:47,099 these days and find yourself in New York 73 00:02:45,660 --> 00:02:48,599 City 74 00:02:47,099 --> 00:02:50,280 um anyway 75 00:02:48,599 --> 00:02:52,080 so 76 00:02:50,280 --> 00:02:56,760 this is another terminal 77 00:02:52,080 --> 00:02:58,500 this is a teletype ASR 33 and I you're 78 00:02:56,760 --> 00:03:01,140 laughed when I showed airport terminals 79 00:02:58,500 --> 00:03:04,140 so this is a computer terminal right 80 00:03:01,140 --> 00:03:05,640 so anyway this this particular one was 81 00:03:04,140 --> 00:03:07,940 introduced around the same time that 82 00:03:05,640 --> 00:03:11,220 that airport terminal was built about 83 00:03:07,940 --> 00:03:14,040 1962 and it supported a new just 84 00:03:11,220 --> 00:03:15,480 released standard called ASCII or 85 00:03:14,040 --> 00:03:17,819 American Standard code for information 86 00:03:15,480 --> 00:03:20,220 interchange which is a bit of a mouthful 87 00:03:17,819 --> 00:03:24,360 everyone says ASCII 88 00:03:20,220 --> 00:03:29,340 um so here's two famous users of an ASR 89 00:03:24,360 --> 00:03:31,440 33 this is on a PDP 11 and so the 90 00:03:29,340 --> 00:03:34,200 machines behind are a digital PDP 11 91 00:03:31,440 --> 00:03:37,860 running Unix there's not an exact data 92 00:03:34,200 --> 00:03:42,060 on this photo but it's Circa 1970 and 93 00:03:37,860 --> 00:03:45,959 this is I think Ken Thompson sitting and 94 00:03:42,060 --> 00:03:49,920 he's typing into a TTY or tele 95 00:03:45,959 --> 00:03:52,620 typewriter which is why we call TT wise 96 00:03:49,920 --> 00:03:55,560 on Linux these days still TT wise 97 00:03:52,620 --> 00:03:56,159 because they're tele typewriters 98 00:03:55,560 --> 00:03:58,680 um 99 00:03:56,159 --> 00:04:00,659 so 100 00:03:58,680 --> 00:04:03,239 it's possibly tempting fate when you 101 00:04:00,659 --> 00:04:05,519 publish a magazine article advert I mean 102 00:04:03,239 --> 00:04:08,220 like this uh this says just how much 103 00:04:05,519 --> 00:04:10,739 longer will The Model 33 be around and 104 00:04:08,220 --> 00:04:12,480 so as I mentioned about 1970 we saw 105 00:04:10,739 --> 00:04:15,180 someone using them 106 00:04:12,480 --> 00:04:16,919 um 1976 107 00:04:15,180 --> 00:04:18,959 um is an interesting year this was in 108 00:04:16,919 --> 00:04:20,940 1974 so they're sort of saying this is 109 00:04:18,959 --> 00:04:22,560 going to carry on for many more years we 110 00:04:20,940 --> 00:04:26,400 think we've got a successful product 111 00:04:22,560 --> 00:04:30,600 here please buy our product so in 1976 112 00:04:26,400 --> 00:04:33,060 Leah Siegler released the adm3a which 113 00:04:30,600 --> 00:04:34,440 wasn't the first video terminal but it 114 00:04:33,060 --> 00:04:38,340 was actually one of the first affordable 115 00:04:34,440 --> 00:04:41,419 video terminals it was about a thousand 116 00:04:38,340 --> 00:04:43,440 US dollars or just under in kit form 117 00:04:41,419 --> 00:04:46,440 and the University of California 118 00:04:43,440 --> 00:04:48,440 Berkeley standardized on this as their 119 00:04:46,440 --> 00:04:51,180 terminal of choice 120 00:04:48,440 --> 00:04:54,479 and Bill Joy who was later the 121 00:04:51,180 --> 00:04:55,680 co-founder of sun Microsystems use one 122 00:04:54,479 --> 00:04:57,960 of these terminals he actually had one 123 00:04:55,680 --> 00:04:59,280 in his dorm room connected by a 300 124 00:04:57,960 --> 00:05:01,620 board modem 125 00:04:59,280 --> 00:05:04,139 so that necessitated the invention of 126 00:05:01,620 --> 00:05:06,360 something called VI 127 00:05:04,139 --> 00:05:08,460 so he actually wrote an editor called X 128 00:05:06,360 --> 00:05:10,440 which had a motor called visual but 129 00:05:08,460 --> 00:05:12,540 inside that was a command called VI 130 00:05:10,440 --> 00:05:15,000 which later was split out to its own 131 00:05:12,540 --> 00:05:18,000 command called VI and as we know the 132 00:05:15,000 --> 00:05:21,180 rest is history so if you just look 133 00:05:18,000 --> 00:05:23,520 closely at the keys you see Escape here 134 00:05:21,180 --> 00:05:26,940 is very nice and easily accessible 135 00:05:23,520 --> 00:05:31,020 compared to Modern computers and on the 136 00:05:26,940 --> 00:05:32,759 HJ k l Keys we have the vi cursor 137 00:05:31,020 --> 00:05:34,740 movement case and also interestingly 138 00:05:32,759 --> 00:05:36,300 just here we have a bunch of dip 139 00:05:34,740 --> 00:05:37,979 switches that is how you configure the 140 00:05:36,300 --> 00:05:40,440 terminal 141 00:05:37,979 --> 00:05:42,720 um one of the interesting things is 142 00:05:40,440 --> 00:05:44,820 there's not a caps lock key on this so 143 00:05:42,720 --> 00:05:45,960 actually you one of the things you could 144 00:05:44,820 --> 00:05:48,120 configure was whether you had the 145 00:05:45,960 --> 00:05:50,100 additional RAM installed that let you 146 00:05:48,120 --> 00:05:53,100 use lowercase 147 00:05:50,100 --> 00:05:55,139 um so it so it was to optimize things it 148 00:05:53,100 --> 00:05:56,639 was five bits rather than eight or seven 149 00:05:55,139 --> 00:05:59,039 bits at the time 150 00:05:56,639 --> 00:06:00,960 um so yeah the the one of the biggest 151 00:05:59,039 --> 00:06:02,639 expenses that made video terminals an 152 00:06:00,960 --> 00:06:05,039 expensive thing was actually the ram 153 00:06:02,639 --> 00:06:07,500 that was needed to store what was it on 154 00:06:05,039 --> 00:06:09,479 screen at the time 155 00:06:07,500 --> 00:06:10,740 um so one nice thing is that the 156 00:06:09,479 --> 00:06:12,539 operator's manual for this has been 157 00:06:10,740 --> 00:06:14,940 preserved um there's a website called 158 00:06:12,539 --> 00:06:16,199 bit Savers that has a bunch of PDFs of 159 00:06:14,940 --> 00:06:18,479 things 160 00:06:16,199 --> 00:06:20,759 um so if we dig into the manual we can 161 00:06:18,479 --> 00:06:23,400 find details about the Escape key and I 162 00:06:20,759 --> 00:06:26,460 won't read it all but it can be used to 163 00:06:23,400 --> 00:06:27,780 produce a load cursor operation and then 164 00:06:26,460 --> 00:06:29,280 it says down here this operation may 165 00:06:27,780 --> 00:06:32,360 also be initiated by the host computer 166 00:06:29,280 --> 00:06:34,979 using the same Escape sequences 167 00:06:32,360 --> 00:06:37,020 so essentially that's what makes a VI 168 00:06:34,979 --> 00:06:39,539 possible you can address the cursor on 169 00:06:37,020 --> 00:06:40,560 the screen and move it around and in 170 00:06:39,539 --> 00:06:42,840 particular 171 00:06:40,560 --> 00:06:44,520 it's possible to sort of send lots of up 172 00:06:42,840 --> 00:06:47,160 and down commands but if you can address 173 00:06:44,520 --> 00:06:48,780 a particular point on the screen then 174 00:06:47,160 --> 00:06:51,360 you can do it efficiently and as I 175 00:06:48,780 --> 00:06:54,120 mentioned Bill Joy had a 300board modem 176 00:06:51,360 --> 00:06:55,979 so that was part of the reason why 177 00:06:54,120 --> 00:06:57,660 um you know this this ended up being how 178 00:06:55,979 --> 00:06:58,380 it was 179 00:06:57,660 --> 00:07:02,639 um 180 00:06:58,380 --> 00:07:05,220 so moving on a bit this is um 1978 or 181 00:07:02,639 --> 00:07:07,620 1979. um there's some debate about 182 00:07:05,220 --> 00:07:11,340 exactly when but this this standard was 183 00:07:07,620 --> 00:07:13,680 published in 1979. so 184 00:07:11,340 --> 00:07:15,479 this standard specifies 185 00:07:13,680 --> 00:07:18,300 a lot of things about how a terminal 186 00:07:15,479 --> 00:07:19,919 should work so the Leah Siegler one that 187 00:07:18,300 --> 00:07:21,900 I showed had a very particular way of 188 00:07:19,919 --> 00:07:23,759 setting the cursor position but that was 189 00:07:21,900 --> 00:07:25,560 accustomed to it so you've probably come 190 00:07:23,759 --> 00:07:27,539 across term cap and the need for that 191 00:07:25,560 --> 00:07:29,039 was that different terminals implemented 192 00:07:27,539 --> 00:07:31,500 different things 193 00:07:29,039 --> 00:07:32,759 um ANSI in theory was an attempt to 194 00:07:31,500 --> 00:07:35,699 standardize that but actually the 195 00:07:32,759 --> 00:07:37,259 important thing it did was Define how a 196 00:07:35,699 --> 00:07:38,539 particular Escape sheet sequence should 197 00:07:37,259 --> 00:07:41,880 be 198 00:07:38,539 --> 00:07:43,740 interpreted so that if a system didn't 199 00:07:41,880 --> 00:07:45,900 Implement a particular escape sequence 200 00:07:43,740 --> 00:07:48,720 it could ignore that thing in the same 201 00:07:45,900 --> 00:07:52,860 way these days HTML ignores unknown tags 202 00:07:48,720 --> 00:07:54,000 Escape sequences have a similar concept 203 00:07:52,860 --> 00:07:56,039 um 204 00:07:54,000 --> 00:07:57,840 and also these days we talk about antsy 205 00:07:56,039 --> 00:07:59,940 color but actually that was defined a 206 00:07:57,840 --> 00:08:00,720 bit later and I'll get to that 207 00:07:59,940 --> 00:08:02,819 um 208 00:08:00,720 --> 00:08:05,340 digital here we saw earlier with the PDP 209 00:08:02,819 --> 00:08:08,280 11 also had their own terminal there was 210 00:08:05,340 --> 00:08:10,680 a vt52 which was one of the first cursor 211 00:08:08,280 --> 00:08:12,479 addressable terminals similar to the 212 00:08:10,680 --> 00:08:14,220 latest Eagle one we saw but they were 213 00:08:12,479 --> 00:08:16,500 much more expensive um it's a bit hard 214 00:08:14,220 --> 00:08:18,000 to find prices these days and things uh 215 00:08:16,500 --> 00:08:20,580 yeah I spent a bit too long researching 216 00:08:18,000 --> 00:08:23,879 this so you know anyway this this is 217 00:08:20,580 --> 00:08:25,940 deck deck is interesting because they 218 00:08:23,879 --> 00:08:28,740 introduced a terminal called the vt100 219 00:08:25,940 --> 00:08:31,080 which was one of the first terminals to 220 00:08:28,740 --> 00:08:32,640 implement the ANSI standard and these 221 00:08:31,080 --> 00:08:34,860 days has almost become a de facto 222 00:08:32,640 --> 00:08:36,719 standard itself in that if you're using 223 00:08:34,860 --> 00:08:38,820 a software terminal which sometimes we 224 00:08:36,719 --> 00:08:40,500 call terminal emulators then it's 225 00:08:38,820 --> 00:08:42,899 probably implementing something along 226 00:08:40,500 --> 00:08:46,320 the lines of the vt100 although exactly 227 00:08:42,899 --> 00:08:50,000 how good that emulation is there is 228 00:08:46,320 --> 00:08:52,260 so how do these Escape sequences work so 229 00:08:50,000 --> 00:08:54,899 this is quite a cool command that makes 230 00:08:52,260 --> 00:08:57,899 you look like a bit of a hacker if I 231 00:08:54,899 --> 00:09:00,180 press enter we get the Matrix so this is 232 00:08:57,899 --> 00:09:02,820 this is C Matrix 233 00:09:00,180 --> 00:09:07,220 um it yeah it does what you expect it to 234 00:09:02,820 --> 00:09:07,220 oh that's what it says on the tin so 235 00:09:07,440 --> 00:09:11,640 we can run this through cat minus V and 236 00:09:09,959 --> 00:09:12,980 so if you've not come across the minus V 237 00:09:11,640 --> 00:09:15,959 option to cat 238 00:09:12,980 --> 00:09:18,540 this basically says if there's any 239 00:09:15,959 --> 00:09:20,100 Escape sequences show me the escape 240 00:09:18,540 --> 00:09:22,560 sequence as it was and it actually 241 00:09:20,100 --> 00:09:24,720 applies to all control characters 242 00:09:22,560 --> 00:09:26,880 um interestingly Bill Joy actually added 243 00:09:24,720 --> 00:09:29,519 the minus V option to cat at least 244 00:09:26,880 --> 00:09:32,040 according to the sources I can find and 245 00:09:29,519 --> 00:09:34,200 this was much to the annoyance of the 246 00:09:32,040 --> 00:09:37,260 original Unix developers from Bell Labs 247 00:09:34,200 --> 00:09:39,240 who thought that really cat should be 248 00:09:37,260 --> 00:09:41,700 limited to concatenating things together 249 00:09:39,240 --> 00:09:44,220 per its name and so there's a paper 250 00:09:41,700 --> 00:09:47,040 written in 1980 called cat V considered 251 00:09:44,220 --> 00:09:49,380 harmful but anyway I think we've moved 252 00:09:47,040 --> 00:09:51,779 on from 1980 and we'll use cat V for 253 00:09:49,380 --> 00:09:54,540 this example so that doesn't look 254 00:09:51,779 --> 00:09:56,580 anything like the previous thing but 255 00:09:54,540 --> 00:09:58,279 if we look closely we'll see things like 256 00:09:56,580 --> 00:10:02,100 escape 257 00:09:58,279 --> 00:10:04,620 a bracket 32m and as I mentioned the 258 00:10:02,100 --> 00:10:08,160 ANSI standard it itself doesn't Define 259 00:10:04,620 --> 00:10:10,800 colors but in the appendix to it here we 260 00:10:08,160 --> 00:10:12,660 find 32 is a green display so this was 261 00:10:10,800 --> 00:10:14,279 actually in the appendix to the standard 262 00:10:12,660 --> 00:10:15,959 and it was part of the later 263 00:10:14,279 --> 00:10:18,120 International standard that was based on 264 00:10:15,959 --> 00:10:18,720 the ANSI standard 265 00:10:18,120 --> 00:10:20,399 um 266 00:10:18,720 --> 00:10:22,920 we can also 267 00:10:20,399 --> 00:10:25,620 do red so if we do something like that 268 00:10:22,920 --> 00:10:27,240 we get red text which doesn't look very 269 00:10:25,620 --> 00:10:28,260 visible on this so we'll make that be 270 00:10:27,240 --> 00:10:33,300 easier 271 00:10:28,260 --> 00:10:35,519 um okay so Escape is ASCII character 27 272 00:10:33,300 --> 00:10:37,860 um as you saw with that cat output it's 273 00:10:35,519 --> 00:10:40,920 sometimes written as carrot and then 274 00:10:37,860 --> 00:10:43,399 left brackets sometimes in a c style 275 00:10:40,920 --> 00:10:45,839 string it's written as backslash e 276 00:10:43,399 --> 00:10:48,000 in some cases the C style strings don't 277 00:10:45,839 --> 00:10:51,480 support that format so you find it 278 00:10:48,000 --> 00:10:54,440 written in HEX like that or for example 279 00:10:51,480 --> 00:10:58,019 in JavaScript you'd have to do slash 280 00:10:54,440 --> 00:10:59,760 u001v but anyway I'm going to mostly 281 00:10:58,019 --> 00:11:01,440 refer to things in these slides using 282 00:10:59,760 --> 00:11:02,880 this form but when I'm talking about 283 00:11:01,440 --> 00:11:05,220 that I'm talking about a particular 284 00:11:02,880 --> 00:11:07,200 ASCII character that is by definition 285 00:11:05,220 --> 00:11:09,300 not printable so I can't actually just 286 00:11:07,200 --> 00:11:12,480 put it on the slides as it looks so 287 00:11:09,300 --> 00:11:14,160 hence why I'm trying to explain this so 288 00:11:12,480 --> 00:11:17,700 another place you might have seen this 289 00:11:14,160 --> 00:11:19,620 is in PS1 which is in a bond compatible 290 00:11:17,700 --> 00:11:20,940 shell like bash is how you set your 291 00:11:19,620 --> 00:11:22,920 prompt 292 00:11:20,940 --> 00:11:25,320 um so you might do something like this 293 00:11:22,920 --> 00:11:27,180 and if you look there that slash e is 294 00:11:25,320 --> 00:11:30,240 the E I mentioned I've already mentioned 295 00:11:27,180 --> 00:11:31,560 31m so this is red text 296 00:11:30,240 --> 00:11:33,720 um and then if we just look at what that 297 00:11:31,560 --> 00:11:35,579 happens to look like yeah you know you 298 00:11:33,720 --> 00:11:37,200 want to make your root prompt red or 299 00:11:35,579 --> 00:11:38,700 whatever that's essentially how you do 300 00:11:37,200 --> 00:11:40,019 it 301 00:11:38,700 --> 00:11:42,120 um often there's a few more things in 302 00:11:40,019 --> 00:11:44,279 PS1 but for the sake of the slides I've 303 00:11:42,120 --> 00:11:46,200 just made that simple 304 00:11:44,279 --> 00:11:49,019 um so I kind of mentioned that the 305 00:11:46,200 --> 00:11:53,040 answer is standard defines a sort of 306 00:11:49,019 --> 00:11:56,040 sequence and a way of a way of defining 307 00:11:53,040 --> 00:11:58,380 the patterns that that is extensible so 308 00:11:56,040 --> 00:12:00,540 one of the things that it defines is a 309 00:11:58,380 --> 00:12:02,940 control sequence introducer which means 310 00:12:00,540 --> 00:12:05,760 that you have escape this left square 311 00:12:02,940 --> 00:12:08,160 bracket and then you have usually a 312 00:12:05,760 --> 00:12:09,959 number or a set of numbers and then a 313 00:12:08,160 --> 00:12:11,579 letter roughly it's actually a bit more 314 00:12:09,959 --> 00:12:13,860 complicated than that but 315 00:12:11,579 --> 00:12:15,600 um I won't I won't I can't fit that the 316 00:12:13,860 --> 00:12:16,920 whole thing into this talk 317 00:12:15,600 --> 00:12:19,320 um but that's that's essentially all you 318 00:12:16,920 --> 00:12:20,399 need to know to understand this talk 319 00:12:19,320 --> 00:12:24,180 um 320 00:12:20,399 --> 00:12:27,120 so in 2003 HD Moore published this 321 00:12:24,180 --> 00:12:29,579 terminal security and sorry thermal 322 00:12:27,120 --> 00:12:31,500 emulator security issues and this was 323 00:12:29,579 --> 00:12:34,140 sent to the bug track mailing list which 324 00:12:31,500 --> 00:12:35,519 sadly is no longer around but OSS 325 00:12:34,140 --> 00:12:38,339 Security if you've come across it is 326 00:12:35,519 --> 00:12:40,140 kind of its uh successor in sort of de 327 00:12:38,339 --> 00:12:42,420 facto form 328 00:12:40,140 --> 00:12:45,540 um this is one of the first write-ups of 329 00:12:42,420 --> 00:12:46,639 terminal security issues 330 00:12:45,540 --> 00:12:48,839 um 331 00:12:46,639 --> 00:12:50,279 yeah so we're going to get to the 332 00:12:48,839 --> 00:12:51,660 security part of the talk 333 00:12:50,279 --> 00:12:53,519 um everything that I'm talking about I 334 00:12:51,660 --> 00:12:55,740 did on either my own systems or systems 335 00:12:53,519 --> 00:12:58,740 I had permission to perform this on so 336 00:12:55,740 --> 00:13:00,180 basically don't try this at home work 337 00:12:58,740 --> 00:13:02,160 don't try this at work but you can do it 338 00:13:00,180 --> 00:13:03,959 at home uh probably assuming you own 339 00:13:02,160 --> 00:13:05,220 your systems at home Etc standard 340 00:13:03,959 --> 00:13:08,700 disclaimer 341 00:13:05,220 --> 00:13:10,440 so anyway back to back to this post one 342 00:13:08,700 --> 00:13:12,839 of the things here is window title 343 00:13:10,440 --> 00:13:15,660 reporting so what's that 344 00:13:12,839 --> 00:13:17,459 so I mentioned how the prompt works and 345 00:13:15,660 --> 00:13:19,019 one of the things that a prompt can also 346 00:13:17,459 --> 00:13:21,779 do and it's common is it will set the 347 00:13:19,019 --> 00:13:22,980 title of your window so you know when 348 00:13:21,779 --> 00:13:25,139 you open your terminal and you change 349 00:13:22,980 --> 00:13:28,260 directory the title of the window often 350 00:13:25,139 --> 00:13:29,639 updates to show what directory you're in 351 00:13:28,260 --> 00:13:33,300 um and so this is the escape sequence 352 00:13:29,639 --> 00:13:35,100 you use for this I mentioned uh CSI and 353 00:13:33,300 --> 00:13:36,540 so this is an operating system command 354 00:13:35,100 --> 00:13:38,579 so the square brackets the other way 355 00:13:36,540 --> 00:13:40,740 around and then we can have a string of 356 00:13:38,579 --> 00:13:43,320 text terminated by this special 357 00:13:40,740 --> 00:13:44,760 character at the end 358 00:13:43,320 --> 00:13:46,800 um so it's basically a way of sending 359 00:13:44,760 --> 00:13:48,959 strings and the standard didn't Define 360 00:13:46,800 --> 00:13:52,079 any of these but later on people defined 361 00:13:48,959 --> 00:13:54,240 what the bit inside this means 362 00:13:52,079 --> 00:13:56,160 um and so one thing we can do is this we 363 00:13:54,240 --> 00:13:58,680 can say okay we're running a particular 364 00:13:56,160 --> 00:14:00,779 terminal program or whatever we're 365 00:13:58,680 --> 00:14:02,880 inside our terminal so we're running 366 00:14:00,779 --> 00:14:05,100 xcal okay fine 367 00:14:02,880 --> 00:14:07,019 that's not really a security problem we 368 00:14:05,100 --> 00:14:08,880 can say what we're running 369 00:14:07,019 --> 00:14:11,160 um so there's a control sequence to 370 00:14:08,880 --> 00:14:13,260 report what the window title is 371 00:14:11,160 --> 00:14:15,000 so some some of these Escape sequences 372 00:14:13,260 --> 00:14:17,100 can be used to ask things of the 373 00:14:15,000 --> 00:14:19,740 terminal the common example being where 374 00:14:17,100 --> 00:14:20,880 is my cursor so I mentioned the eye a 375 00:14:19,740 --> 00:14:22,800 while ago 376 00:14:20,880 --> 00:14:24,360 um you can ask where's my cursor on 377 00:14:22,800 --> 00:14:28,139 screen and it will return something like 378 00:14:24,360 --> 00:14:31,260 you know 10 comma sorry 10 semicolon 5 379 00:14:28,139 --> 00:14:33,959 and that's like your you know column 10 380 00:14:31,260 --> 00:14:36,300 row five or whichever way around it is 381 00:14:33,959 --> 00:14:38,459 um anyway this this particular one is 382 00:14:36,300 --> 00:14:40,680 asking What's the title of the window 383 00:14:38,459 --> 00:14:42,839 please and so it Returns the title of 384 00:14:40,680 --> 00:14:43,680 the window for you 385 00:14:42,839 --> 00:14:46,500 um 386 00:14:43,680 --> 00:14:48,660 so if we adjust this slightly and we set 387 00:14:46,500 --> 00:14:50,339 the title of the window to be 388 00:14:48,660 --> 00:14:53,100 carriage return 389 00:14:50,339 --> 00:14:55,500 calc exe and then another character 390 00:14:53,100 --> 00:14:58,560 return and then ask for the title what 391 00:14:55,500 --> 00:15:01,019 happens well so if we just you demo this 392 00:14:58,560 --> 00:15:02,339 this is printf so this is this is 393 00:15:01,019 --> 00:15:04,320 actually on Windows and we're using 394 00:15:02,339 --> 00:15:07,680 Commander which provides a compatibility 395 00:15:04,320 --> 00:15:11,399 layer for Windows of Unix tools so that 396 00:15:07,680 --> 00:15:14,699 sequence there calc then hit enter 397 00:15:11,399 --> 00:15:17,040 okay that's interesting so a printf 398 00:15:14,699 --> 00:15:17,959 command resulted in essentially typing 399 00:15:17,040 --> 00:15:21,540 calculator 400 00:15:17,959 --> 00:15:23,040 and now now we're running calculator and 401 00:15:21,540 --> 00:15:24,300 if you're not familiar calculator is the 402 00:15:23,040 --> 00:15:27,839 traditional thing to open when you're 403 00:15:24,300 --> 00:15:30,060 exploiting systems so there may be a few 404 00:15:27,839 --> 00:15:32,519 more of these so 405 00:15:30,060 --> 00:15:33,959 did I patch that back in no it turns out 406 00:15:32,519 --> 00:15:35,579 this was a new vulnerability in a 407 00:15:33,959 --> 00:15:37,320 windows program hence why we randomly 408 00:15:35,579 --> 00:15:40,079 changed the windows there 409 00:15:37,320 --> 00:15:42,240 um this was patched late last year 410 00:15:40,079 --> 00:15:43,320 um and basically yeah it report it 411 00:15:42,240 --> 00:15:46,139 didn't 412 00:15:43,320 --> 00:15:47,040 um filter the title at all 413 00:15:46,139 --> 00:15:50,040 um 414 00:15:47,040 --> 00:15:51,060 it also supported that most terminals 415 00:15:50,040 --> 00:15:53,820 were just so they're not going to 416 00:15:51,060 --> 00:15:54,480 support the report title sequence 417 00:15:53,820 --> 00:15:55,980 um 418 00:15:54,480 --> 00:15:57,300 some terminals to have an option to turn 419 00:15:55,980 --> 00:15:58,440 it back on so there's an option that 420 00:15:57,300 --> 00:16:00,660 basically says yeah I want to be 421 00:15:58,440 --> 00:16:02,519 vulnerable to a security hole please 422 00:16:00,660 --> 00:16:05,579 um but you know 423 00:16:02,519 --> 00:16:06,480 so I use printf in that example 424 00:16:05,579 --> 00:16:08,160 um 425 00:16:06,480 --> 00:16:10,740 it's certainly interesting printing 426 00:16:08,160 --> 00:16:12,660 something to your screen can have a prob 427 00:16:10,740 --> 00:16:13,800 create a problem like that but to 428 00:16:12,660 --> 00:16:15,600 actually make this into a vulnerability 429 00:16:13,800 --> 00:16:17,880 we need to do something more 430 00:16:15,600 --> 00:16:20,579 so what we're looking for is instances 431 00:16:17,880 --> 00:16:24,240 of this so this is the common weaknesses 432 00:16:20,579 --> 00:16:27,240 enumeration which is a miter project of 433 00:16:24,240 --> 00:16:28,860 sort of common security problems and if 434 00:16:27,240 --> 00:16:31,560 you scroll down on this page you'll find 435 00:16:28,860 --> 00:16:34,320 that some of the bugs that hdmr found in 436 00:16:31,560 --> 00:16:37,259 2003 are listed as exemplars almost of 437 00:16:34,320 --> 00:16:40,980 this particular kind of problem 438 00:16:37,259 --> 00:16:42,180 um but what else can we do so well if 439 00:16:40,980 --> 00:16:43,980 you just give someone a file and ask 440 00:16:42,180 --> 00:16:46,139 them to cut it to your screen they 441 00:16:43,980 --> 00:16:47,759 probably won't do that but like it could 442 00:16:46,139 --> 00:16:50,759 be as simple as that to social engineer 443 00:16:47,759 --> 00:16:52,680 someone into attacking themselves 444 00:16:50,759 --> 00:16:55,199 um something else that works is just 445 00:16:52,680 --> 00:16:56,940 curl so like literally put it on a web 446 00:16:55,199 --> 00:16:58,740 URL and be like I'm having problems 447 00:16:56,940 --> 00:17:00,660 curling this URL can you just try it for 448 00:16:58,740 --> 00:17:02,820 me administrator please and you know 449 00:17:00,660 --> 00:17:04,559 there's a bunch of things you can do 450 00:17:02,820 --> 00:17:06,780 um so if you've got a terminal exploit 451 00:17:04,559 --> 00:17:10,319 you can do evil things even without a 452 00:17:06,780 --> 00:17:11,520 terminal exploit we can hide things so 453 00:17:10,319 --> 00:17:13,140 um I don't know how visible that is 454 00:17:11,520 --> 00:17:15,000 hopefully that's so here's here's a 455 00:17:13,140 --> 00:17:18,720 script so I've got a script called 456 00:17:15,000 --> 00:17:20,220 evil.sh it says Echo I am good okay fine 457 00:17:18,720 --> 00:17:22,439 I'll just run that 458 00:17:20,220 --> 00:17:24,780 hi 459 00:17:22,439 --> 00:17:26,760 um so what actually happened here 460 00:17:24,780 --> 00:17:29,520 so if we run cat minus V again to see 461 00:17:26,760 --> 00:17:32,220 what's going on uh oh okay I am evil 462 00:17:29,520 --> 00:17:33,840 comment backspace backspace backspace 463 00:17:32,220 --> 00:17:35,700 good and I mean you've probably seen 464 00:17:33,840 --> 00:17:37,919 this used in memes right so literally 465 00:17:35,700 --> 00:17:39,480 you can actually use a meme as a as a 466 00:17:37,919 --> 00:17:40,620 security attack which is kind of funny 467 00:17:39,480 --> 00:17:43,500 but 468 00:17:40,620 --> 00:17:45,600 um yeah I mean it's kind of ridiculous 469 00:17:43,500 --> 00:17:47,460 that it's that easy probably you 470 00:17:45,600 --> 00:17:49,679 wouldn't actually get any success with 471 00:17:47,460 --> 00:17:53,940 that hopefully these days but uh you 472 00:17:49,679 --> 00:17:56,160 know that's the thing so back to 2001 473 00:17:53,940 --> 00:17:57,480 um this is one of the examples for cwe 474 00:17:56,160 --> 00:17:59,340 150 475 00:17:57,480 --> 00:18:01,200 um the log files the the Apache web 476 00:17:59,340 --> 00:18:03,000 server used uh contain information 477 00:18:01,200 --> 00:18:05,400 directly supplied by clients and does 478 00:18:03,000 --> 00:18:07,559 not filter required I won't read it all 479 00:18:05,400 --> 00:18:10,080 but essentially yeah you could basically 480 00:18:07,559 --> 00:18:12,240 attack an administrator an hdmores paper 481 00:18:10,080 --> 00:18:14,340 in 2003 which is worth a read actually 482 00:18:12,240 --> 00:18:16,500 has a fun scenario where an 483 00:18:14,340 --> 00:18:17,100 administrator gets attacked 484 00:18:16,500 --> 00:18:20,220 um 485 00:18:17,100 --> 00:18:21,480 anyway so we're back to the modern world 486 00:18:20,220 --> 00:18:23,220 um and I'm gonna have to speed up a bit 487 00:18:21,480 --> 00:18:24,480 so I'm running a little bit behind time 488 00:18:23,220 --> 00:18:26,700 so anyway 489 00:18:24,480 --> 00:18:29,100 um python Python's a thing 490 00:18:26,700 --> 00:18:30,660 um so if I run a python web server 491 00:18:29,100 --> 00:18:33,240 um at the top here I'm running python 492 00:18:30,660 --> 00:18:35,220 minus am HTTP server and down here I've 493 00:18:33,240 --> 00:18:37,860 I'm the attacker so victim on the top 494 00:18:35,220 --> 00:18:40,380 attacker below so the victim has run a 495 00:18:37,860 --> 00:18:42,539 python web server random directory 496 00:18:40,380 --> 00:18:44,460 down here 497 00:18:42,539 --> 00:18:45,660 the attack is trying to attack them so 498 00:18:44,460 --> 00:18:47,220 they found out that if they just use 499 00:18:45,660 --> 00:18:49,140 Curl on its own they can't do that 500 00:18:47,220 --> 00:18:51,419 because curl on the client side doesn't 501 00:18:49,140 --> 00:18:53,700 let them put a slash e but it turns out 502 00:18:51,419 --> 00:18:56,039 if they just use printf and pipe back to 503 00:18:53,700 --> 00:18:59,220 netcat yeah okay that 504 00:18:56,039 --> 00:19:02,520 that works so you'll see up here you'll 505 00:18:59,220 --> 00:19:05,520 see that characters disappeared so 506 00:19:02,520 --> 00:19:07,320 um basically yeah they the something is 507 00:19:05,520 --> 00:19:08,640 interpreting that okay so you see now 508 00:19:07,320 --> 00:19:11,820 they've managed to make this go red up 509 00:19:08,640 --> 00:19:14,100 here so what what else can they do they 510 00:19:11,820 --> 00:19:15,960 can they can make things go red 511 00:19:14,100 --> 00:19:17,340 um we've discussed 31m 512 00:19:15,960 --> 00:19:19,440 um so another thing they can do is the 513 00:19:17,340 --> 00:19:21,179 title I mentioned setting the title uh 514 00:19:19,440 --> 00:19:23,160 what happens if they don't actually 515 00:19:21,179 --> 00:19:24,780 finish setting the title 516 00:19:23,160 --> 00:19:26,400 well the logs up here is finished 517 00:19:24,780 --> 00:19:29,220 they're still doing requests down here 518 00:19:26,400 --> 00:19:31,260 where's the log okay so you can hide you 519 00:19:29,220 --> 00:19:33,480 can hide something in a lock but that's 520 00:19:31,260 --> 00:19:35,460 that's kind of basic 521 00:19:33,480 --> 00:19:37,919 um what else can we do well if we've 522 00:19:35,460 --> 00:19:39,179 actually got a terminal exploit maybe we 523 00:19:37,919 --> 00:19:40,100 can actually just run code in the top 524 00:19:39,179 --> 00:19:42,419 one 525 00:19:40,100 --> 00:19:43,320 via the python command that they've just 526 00:19:42,419 --> 00:19:45,360 run 527 00:19:43,320 --> 00:19:47,220 so 528 00:19:45,360 --> 00:19:49,980 um what we're doing down here is where 529 00:19:47,220 --> 00:19:52,020 this is p so this is a what's called a 530 00:19:49,980 --> 00:19:54,419 device control string I'll cover more in 531 00:19:52,020 --> 00:19:57,419 a second exactly what that is qm means 532 00:19:54,419 --> 00:19:59,700 query the color and it's a bit hard to 533 00:19:57,419 --> 00:20:01,200 see up here but that the terminal 534 00:19:59,700 --> 00:20:03,539 replies with something that says my 535 00:20:01,200 --> 00:20:06,299 current color is 31m so my current color 536 00:20:03,539 --> 00:20:08,340 is red I'll just change the color back 537 00:20:06,299 --> 00:20:10,559 to uh 538 00:20:08,340 --> 00:20:12,720 yeah okay so if we change the color back 539 00:20:10,559 --> 00:20:14,400 to the default color it says the color 540 00:20:12,720 --> 00:20:15,480 zero 541 00:20:14,400 --> 00:20:16,980 um 542 00:20:15,480 --> 00:20:20,100 so anyway 543 00:20:16,980 --> 00:20:21,539 this gets interesting is this will 544 00:20:20,100 --> 00:20:23,100 actually in the same way that the title 545 00:20:21,539 --> 00:20:24,059 thing did this will let us Echo text 546 00:20:23,100 --> 00:20:28,799 back 547 00:20:24,059 --> 00:20:30,120 so here the terminal typed LS for us 548 00:20:28,799 --> 00:20:32,940 um it turns out we can actually do more 549 00:20:30,120 --> 00:20:36,360 than just typing LS so 550 00:20:32,940 --> 00:20:38,340 um if we just put the hex code free 551 00:20:36,360 --> 00:20:40,740 which if you're not conflicted not 552 00:20:38,340 --> 00:20:41,520 familiar that's Ctrl c 553 00:20:40,740 --> 00:20:42,840 um 554 00:20:41,520 --> 00:20:44,280 so 555 00:20:42,840 --> 00:20:47,520 what's going to happen we're going to do 556 00:20:44,280 --> 00:20:49,620 Ctrl C and then we're going to do LS and 557 00:20:47,520 --> 00:20:51,000 then we'll just finish typing that okay 558 00:20:49,620 --> 00:20:52,380 so this is an interesting python 559 00:20:51,000 --> 00:20:53,700 actually said it's a bad request but 560 00:20:52,380 --> 00:20:55,380 it's fine because it logs it logged it 561 00:20:53,700 --> 00:20:57,120 anyway so 562 00:20:55,380 --> 00:20:59,820 um keyboard interrupt received exiting 563 00:20:57,120 --> 00:21:02,280 so at this point we've basically got a 564 00:20:59,820 --> 00:21:03,419 way of an HTTP request over here if 565 00:21:02,280 --> 00:21:05,880 someone's running something in a 566 00:21:03,419 --> 00:21:07,620 terminal and it's not escaping output we 567 00:21:05,880 --> 00:21:08,520 can run code 568 00:21:07,620 --> 00:21:10,620 um 569 00:21:08,520 --> 00:21:11,340 so just to complete this we need to put 570 00:21:10,620 --> 00:21:13,740 a 571 00:21:11,340 --> 00:21:15,539 terminating new line here sorry that's 572 00:21:13,740 --> 00:21:16,320 the carriage return 573 00:21:15,539 --> 00:21:19,100 um 574 00:21:16,320 --> 00:21:19,100 there we go 575 00:21:19,380 --> 00:21:22,620 okay so that actually ran LS but there's 576 00:21:21,419 --> 00:21:24,360 nothing in this directory so I'll just 577 00:21:22,620 --> 00:21:26,520 I'll just touch a file to prove to you 578 00:21:24,360 --> 00:21:29,820 that this really does work 579 00:21:26,520 --> 00:21:31,980 um there we go so we've just run that 580 00:21:29,820 --> 00:21:33,480 and then obviously to top things up off 581 00:21:31,980 --> 00:21:35,159 we have to open calculator because 582 00:21:33,480 --> 00:21:36,419 that's just the traditional thing to do 583 00:21:35,159 --> 00:21:38,640 so 584 00:21:36,419 --> 00:21:40,980 um and that's there we just replaced 585 00:21:38,640 --> 00:21:43,380 that with calculator 586 00:21:40,980 --> 00:21:47,159 um rerun the command up here 587 00:21:43,380 --> 00:21:51,000 there we go yeah so there we go there we 588 00:21:47,159 --> 00:21:53,460 go so we've basically used Python and in 589 00:21:51,000 --> 00:21:55,620 this case item two on Mac so this is an 590 00:21:53,460 --> 00:21:57,780 open source uh terminal that various 591 00:21:55,620 --> 00:21:58,620 people on Max use 592 00:21:57,780 --> 00:21:59,880 um 593 00:21:58,620 --> 00:22:01,799 so 594 00:21:59,880 --> 00:22:04,080 just to go go into a bit more detail on 595 00:22:01,799 --> 00:22:07,679 exactly what happened there so device 596 00:22:04,080 --> 00:22:10,320 control string is is this first bit we 597 00:22:07,679 --> 00:22:12,659 asked for the color that's fine 598 00:22:10,320 --> 00:22:16,080 um create a color okay that worked 599 00:22:12,659 --> 00:22:19,320 um so actually this was a 2008 X term 600 00:22:16,080 --> 00:22:21,960 CVA why are we looking at it now 601 00:22:19,320 --> 00:22:23,760 well it turns out that the control 602 00:22:21,960 --> 00:22:26,340 sequence docks for X term weren't 603 00:22:23,760 --> 00:22:27,720 updated and I don't know for sure but it 604 00:22:26,340 --> 00:22:29,820 seems like that the offer of item to 605 00:22:27,720 --> 00:22:33,240 happen to read those docs recreated the 606 00:22:29,820 --> 00:22:37,140 bug about two years ago so the what was 607 00:22:33,240 --> 00:22:39,299 patched as a cve is now basically re 608 00:22:37,140 --> 00:22:41,460 recreated 609 00:22:39,299 --> 00:22:45,900 um so this was what I just demonstrated 610 00:22:41,460 --> 00:22:47,460 was was item to cve 2022 four five eight 611 00:22:45,900 --> 00:22:49,740 seven two 612 00:22:47,460 --> 00:22:51,960 um so you could use this to achieve 613 00:22:49,740 --> 00:22:54,299 remote code execution 614 00:22:51,960 --> 00:22:56,340 um and as I mentioned that was also a 615 00:22:54,299 --> 00:23:00,120 python bug so the python bug didn't 616 00:22:56,340 --> 00:23:02,280 receive a cve but python has had several 617 00:23:00,120 --> 00:23:04,799 security fixed releases now that 618 00:23:02,280 --> 00:23:06,360 Escape output when you use that 619 00:23:04,799 --> 00:23:08,400 particular command so that's kind of 620 00:23:06,360 --> 00:23:10,320 Defense in depth 621 00:23:08,400 --> 00:23:12,960 um so I mentioned there's a CV and X 622 00:23:10,320 --> 00:23:15,360 term in 2008 well there's actually been 623 00:23:12,960 --> 00:23:17,280 a few um X terms still maintained and it 624 00:23:15,360 --> 00:23:19,919 actually has one of the more complete 625 00:23:17,280 --> 00:23:22,620 deck terminal emulations so it's 626 00:23:19,919 --> 00:23:25,320 actually quite a good terminal to use in 627 00:23:22,620 --> 00:23:26,340 various ways Believe It or Not these 628 00:23:25,320 --> 00:23:30,840 slides are actually running your next 629 00:23:26,340 --> 00:23:33,000 term so how that works is 630 00:23:30,840 --> 00:23:35,340 the terminals in front here these are 631 00:23:33,000 --> 00:23:37,260 deck terminals they support graphics 632 00:23:35,340 --> 00:23:40,500 so I'm using the debt Graphics support 633 00:23:37,260 --> 00:23:42,059 to embed Graphics in the in the slides 634 00:23:40,500 --> 00:23:45,360 here so this this is believe it or not 635 00:23:42,059 --> 00:23:48,419 actually next term it can even do Emoji 636 00:23:45,360 --> 00:23:51,980 um so the image format that it's using 637 00:23:48,419 --> 00:23:54,600 is called six cell so like pixel but 6L 638 00:23:51,980 --> 00:23:57,240 it's supported by the hardware terminals 639 00:23:54,600 --> 00:23:59,640 these are in that advert there's also 640 00:23:57,240 --> 00:24:02,460 recent code that implements things for 641 00:23:59,640 --> 00:24:05,280 it so libsixel has a command called 642 00:24:02,460 --> 00:24:06,600 image to six all and if you want to play 643 00:24:05,280 --> 00:24:09,000 around with that you can do something 644 00:24:06,600 --> 00:24:12,020 like this to run a next term that is 645 00:24:09,000 --> 00:24:14,940 terminal compatible with 646 00:24:12,020 --> 00:24:18,419 vt340 which is one of the terminals that 647 00:24:14,940 --> 00:24:20,580 supports color and then image to 6L on 648 00:24:18,419 --> 00:24:22,799 some file and that will probably just 649 00:24:20,580 --> 00:24:24,600 appear in your terminal assuming it's 650 00:24:22,799 --> 00:24:26,179 under a thousand by a thousand because 651 00:24:24,600 --> 00:24:28,679 that's the maximum 652 00:24:26,179 --> 00:24:32,220 some of the terminals like item 2 653 00:24:28,679 --> 00:24:35,280 actually support six all uh Kitty is 654 00:24:32,220 --> 00:24:36,120 another one and several others 655 00:24:35,280 --> 00:24:38,159 um 656 00:24:36,120 --> 00:24:41,820 so this is interesting here's an X term 657 00:24:38,159 --> 00:24:43,740 cve from 2022 found by Nick black who's 658 00:24:41,820 --> 00:24:45,600 actually the author of not curses which 659 00:24:43,740 --> 00:24:48,299 is a if you're familiar with n curses 660 00:24:45,600 --> 00:24:50,880 not curses is another library that will 661 00:24:48,299 --> 00:24:52,440 do image formats so it will do six or 662 00:24:50,880 --> 00:24:54,260 stuff in your terminal we can do fun 663 00:24:52,440 --> 00:24:57,179 things like overlay 664 00:24:54,260 --> 00:24:58,500 a graphic on top of text and various 665 00:24:57,179 --> 00:25:01,020 other things 666 00:24:58,500 --> 00:25:03,600 so anyway the cve I won't I won't go 667 00:25:01,020 --> 00:25:06,960 into too much detail 668 00:25:03,600 --> 00:25:10,380 um but essentially this is repeat 669 00:25:06,960 --> 00:25:11,940 so repeat a lot of times a thing and it 670 00:25:10,380 --> 00:25:14,220 turns out to be a fairly trivial buffer 671 00:25:11,940 --> 00:25:16,740 overflow and if you printed that into X 672 00:25:14,220 --> 00:25:18,000 term and it had six cell support enabled 673 00:25:16,740 --> 00:25:19,980 it would crash 674 00:25:18,000 --> 00:25:21,539 but anyway it's actually much easier if 675 00:25:19,980 --> 00:25:22,740 you just do the some of the exploits 676 00:25:21,539 --> 00:25:24,179 that I've shown where you just make the 677 00:25:22,740 --> 00:25:26,820 terminal type text for you you don't 678 00:25:24,179 --> 00:25:28,559 have to actually deal with like buffer 679 00:25:26,820 --> 00:25:31,919 overflows and complicated memory things 680 00:25:28,559 --> 00:25:34,080 so here's one I found in X term 681 00:25:31,919 --> 00:25:37,440 um it has a way of setting fonts so you 682 00:25:34,080 --> 00:25:39,179 can ask X term to set your font 683 00:25:37,440 --> 00:25:41,159 um 684 00:25:39,179 --> 00:25:44,340 so yeah so it looks something like this 685 00:25:41,159 --> 00:25:46,500 so you set Escape operating system come 686 00:25:44,340 --> 00:25:48,240 on 50 and then you say what font you 687 00:25:46,500 --> 00:25:50,279 want so yeah I'll set my font to Mono 688 00:25:48,240 --> 00:25:52,860 please but it also had a way of querying 689 00:25:50,279 --> 00:25:54,360 your font so in this particular case the 690 00:25:52,860 --> 00:25:56,100 question mark is 691 00:25:54,360 --> 00:25:57,720 respond to me with what your font is 692 00:25:56,100 --> 00:25:59,460 currently set to 693 00:25:57,720 --> 00:26:01,440 it turned out if it didn't actually know 694 00:25:59,460 --> 00:26:03,720 that font and you just set your font to 695 00:26:01,440 --> 00:26:06,900 some random string it would Echo back 696 00:26:03,720 --> 00:26:08,700 the same thing so in the same way that 697 00:26:06,900 --> 00:26:11,100 the title sequence could be used to 698 00:26:08,700 --> 00:26:12,799 potentially run code this can be used to 699 00:26:11,100 --> 00:26:15,840 potentially run code 700 00:26:12,799 --> 00:26:17,940 so something like that well no it wasn't 701 00:26:15,840 --> 00:26:20,460 quite that simple so 702 00:26:17,940 --> 00:26:22,380 um for various reasons a new line or 703 00:26:20,460 --> 00:26:24,480 control or any control character isn't 704 00:26:22,380 --> 00:26:26,039 allowed there it just terminates the the 705 00:26:24,480 --> 00:26:27,000 sequence 706 00:26:26,039 --> 00:26:28,559 um 707 00:26:27,000 --> 00:26:30,779 but 708 00:26:28,559 --> 00:26:32,640 this is kind of interesting so in in the 709 00:26:30,779 --> 00:26:33,659 ANSI standard operating system command 710 00:26:32,640 --> 00:26:36,600 which is the thing I've shown is 711 00:26:33,659 --> 00:26:38,159 Terminator with st now actually if you 712 00:26:36,600 --> 00:26:40,260 look back I changed something here I 713 00:26:38,159 --> 00:26:42,779 terminated this with a Control G which 714 00:26:40,260 --> 00:26:45,000 is the ASCII Bell character 715 00:26:42,779 --> 00:26:48,059 um so St is 716 00:26:45,000 --> 00:26:49,220 that but if you terminate it with a 717 00:26:48,059 --> 00:26:52,200 control g 718 00:26:49,220 --> 00:26:53,820 x term responds with the same thing so 719 00:26:52,200 --> 00:26:55,559 you you can use a different character 720 00:26:53,820 --> 00:26:56,640 and then it presses that character for 721 00:26:55,559 --> 00:26:58,679 you 722 00:26:56,640 --> 00:27:00,659 so it turns out in zsh there's some 723 00:26:58,679 --> 00:27:02,100 interesting features it will change its 724 00:27:00,659 --> 00:27:03,539 key bindings depending what editor 725 00:27:02,100 --> 00:27:05,159 you've got it set to so if you've got 726 00:27:03,539 --> 00:27:07,740 your editor environment variable or some 727 00:27:05,159 --> 00:27:10,320 others set to Vim then one of the 728 00:27:07,740 --> 00:27:11,760 default bindings is Ctrl G becomes list 729 00:27:10,320 --> 00:27:13,860 expand 730 00:27:11,760 --> 00:27:18,480 so it's kind of easier just to show you 731 00:27:13,860 --> 00:27:21,299 this one so if I just type LS here and I 732 00:27:18,480 --> 00:27:23,580 am now pressing Ctrl G 733 00:27:21,299 --> 00:27:25,679 um I haven't pressed enter but I run a 734 00:27:23,580 --> 00:27:28,260 command right so I haven't actually 735 00:27:25,679 --> 00:27:30,059 pressed enter at all I'm just you have 736 00:27:28,260 --> 00:27:33,179 to believe me but I haven't 737 00:27:30,059 --> 00:27:33,179 um so 738 00:27:33,240 --> 00:27:38,220 this is essentially how this then ended 739 00:27:35,340 --> 00:27:40,440 up working so you ask it just to uh 740 00:27:38,220 --> 00:27:42,299 remember we were in film mode so we have 741 00:27:40,440 --> 00:27:44,279 to put an eye here to turn on insert 742 00:27:42,299 --> 00:27:46,440 mode we Type X calc and then we just 743 00:27:44,279 --> 00:27:47,580 terminate this but because we've put 744 00:27:46,440 --> 00:27:52,559 this 745 00:27:47,580 --> 00:27:54,740 in command expansion brackets there that 746 00:27:52,559 --> 00:27:57,299 that a which is the ASCII Bell 747 00:27:54,740 --> 00:27:58,559 essentially asks it to press Ctrl G for 748 00:27:57,299 --> 00:28:00,960 us 749 00:27:58,559 --> 00:28:03,360 um and yeah sure enough it runs what 750 00:28:00,960 --> 00:28:05,220 you'd expect it to do and so this was 751 00:28:03,360 --> 00:28:07,200 actually what I posted to OSS Security 752 00:28:05,220 --> 00:28:08,880 and I put in there you could cut the 753 00:28:07,200 --> 00:28:10,320 file or another way to deliver this to 754 00:28:08,880 --> 00:28:12,120 the victim 755 00:28:10,320 --> 00:28:13,679 so 756 00:28:12,120 --> 00:28:17,059 we've done old things let's do something 757 00:28:13,679 --> 00:28:20,039 modern my day job is about kubernetes 758 00:28:17,059 --> 00:28:21,240 there was this cve in Cooper in Cube 759 00:28:20,039 --> 00:28:24,000 cattle which is the command line 760 00:28:21,240 --> 00:28:27,600 interface for kubernetes and it didn't 761 00:28:24,000 --> 00:28:29,220 Escape Escape characters so what can you 762 00:28:27,600 --> 00:28:30,419 do with that well you kind of know the 763 00:28:29,220 --> 00:28:32,039 answer to that now you've seen the first 764 00:28:30,419 --> 00:28:35,279 bit of the talk 765 00:28:32,039 --> 00:28:37,320 um just out of inch Cube cuddle is you 766 00:28:35,279 --> 00:28:40,080 say Cube cattle because it's a 767 00:28:37,320 --> 00:28:42,659 cuttlefish and kubernetes is a pun of 768 00:28:40,080 --> 00:28:45,120 C's or C of puns all the way down 769 00:28:42,659 --> 00:28:46,919 um anyway so 770 00:28:45,120 --> 00:28:48,659 here I've got 771 00:28:46,919 --> 00:28:51,000 something that hopefully is running a 772 00:28:48,659 --> 00:28:52,860 kubernetes cluster okay yeah there's a 773 00:28:51,000 --> 00:28:54,900 pod here that's crashed 774 00:28:52,860 --> 00:28:57,360 um that's fine we'll ignore that one so 775 00:28:54,900 --> 00:28:59,400 if I just run some convenient Docker 776 00:28:57,360 --> 00:29:01,799 image I've got around here 777 00:28:59,400 --> 00:29:04,020 um so 778 00:29:01,799 --> 00:29:06,480 okay we'll run that what's what's going 779 00:29:04,020 --> 00:29:08,279 on so and you know a normal normal thing 780 00:29:06,480 --> 00:29:09,240 to kubernet is is to run some pods or 781 00:29:08,279 --> 00:29:10,980 whatever 782 00:29:09,240 --> 00:29:12,960 okay both of these are in Crash loop 783 00:29:10,980 --> 00:29:14,940 back off so 784 00:29:12,960 --> 00:29:17,820 um as an administrator looking at this 785 00:29:14,940 --> 00:29:20,100 you know the scenarios may be a user's 786 00:29:17,820 --> 00:29:22,200 run this pod on on the cluster and is 787 00:29:20,100 --> 00:29:25,260 asking why it's not working or something 788 00:29:22,200 --> 00:29:26,580 else so you know the administrator with 789 00:29:25,260 --> 00:29:29,880 all your administrative admissions 790 00:29:26,580 --> 00:29:33,919 starts going describe pod proof of 791 00:29:29,880 --> 00:29:33,919 concept oh dear um so 792 00:29:34,860 --> 00:29:40,500 so well it turns out I'd run it twice 793 00:29:38,100 --> 00:29:41,640 even so yeah it turned out if we scroll 794 00:29:40,500 --> 00:29:43,500 up a bit 795 00:29:41,640 --> 00:29:45,779 um unfortunately because the 796 00:29:43,500 --> 00:29:47,340 vulnerability is in setting font it just 797 00:29:45,779 --> 00:29:48,480 resized the font as well so you can't 798 00:29:47,340 --> 00:29:50,580 see it 799 00:29:48,480 --> 00:29:52,559 um but you have to believe me there's a 800 00:29:50,580 --> 00:29:55,200 bunch of different exploits up there so 801 00:29:52,559 --> 00:29:58,200 you just run describe on this particular 802 00:29:55,200 --> 00:30:00,779 thing and it will probably do something 803 00:29:58,200 --> 00:30:02,940 um so 804 00:30:00,779 --> 00:30:05,640 that's cool 805 00:30:02,940 --> 00:30:07,919 so 806 00:30:05,640 --> 00:30:10,140 in total I found six cves across 807 00:30:07,919 --> 00:30:13,740 different terminals I've demoed the item 808 00:30:10,140 --> 00:30:15,539 to the X term one 809 00:30:13,740 --> 00:30:17,520 um the Connie mu one 810 00:30:15,539 --> 00:30:20,220 um if we have any time at the end which 811 00:30:17,520 --> 00:30:21,179 we probably won't I might show one more 812 00:30:20,220 --> 00:30:23,340 um 813 00:30:21,179 --> 00:30:25,200 but one thing I'd like to talk about is 814 00:30:23,340 --> 00:30:27,000 open SSH so 815 00:30:25,200 --> 00:30:28,380 these these these vulnerabilities are 816 00:30:27,000 --> 00:30:29,820 essentially echoing something back to 817 00:30:28,380 --> 00:30:32,580 the terminal so I'm running local 818 00:30:29,820 --> 00:30:33,899 commands on wherever the terminal is 819 00:30:32,580 --> 00:30:35,159 currently connected to it's as if I'm 820 00:30:33,899 --> 00:30:37,140 typing something 821 00:30:35,159 --> 00:30:40,200 so a common thing to do is you know 822 00:30:37,140 --> 00:30:42,059 leave a connection open over SSH and 823 00:30:40,200 --> 00:30:44,700 there's various security issues with 824 00:30:42,059 --> 00:30:47,580 that depending how it's done so a common 825 00:30:44,700 --> 00:30:49,399 issue is something like this where you 826 00:30:47,580 --> 00:30:52,020 have a jump box in the middle 827 00:30:49,399 --> 00:30:55,320 if someone hijacks that that jump box 828 00:30:52,020 --> 00:30:57,059 and you've rather than 829 00:30:55,320 --> 00:30:59,220 um doing anything like port forwarding 830 00:30:57,059 --> 00:31:00,779 if you've used agent forwarding or 831 00:30:59,220 --> 00:31:02,640 anything then potentially if they've 832 00:31:00,779 --> 00:31:05,159 compromised this box they can actually 833 00:31:02,640 --> 00:31:07,080 sh to another box over here that or 834 00:31:05,159 --> 00:31:09,720 something or they can sniff the traffic 835 00:31:07,080 --> 00:31:10,679 to your production host so one way to 836 00:31:09,720 --> 00:31:13,200 deal with that is there's something 837 00:31:10,679 --> 00:31:16,020 called SSH minus capital J which rather 838 00:31:13,200 --> 00:31:18,779 than using forwarding through sh itself 839 00:31:16,020 --> 00:31:20,940 it configures TCP port forwarding so 840 00:31:18,779 --> 00:31:22,620 you've actually got encrypted sh on top 841 00:31:20,940 --> 00:31:24,720 of encrypted SSH so the box in the 842 00:31:22,620 --> 00:31:26,100 middle can't attack you 843 00:31:24,720 --> 00:31:28,140 but anyway 844 00:31:26,100 --> 00:31:31,140 um 845 00:31:28,140 --> 00:31:32,520 if we get access to this production host 846 00:31:31,140 --> 00:31:34,200 here 847 00:31:32,520 --> 00:31:35,880 um what can we do so you know the normal 848 00:31:34,200 --> 00:31:37,919 scenario is someone's left a terminal 849 00:31:35,880 --> 00:31:40,559 open now imagine that terminal's got 850 00:31:37,919 --> 00:31:43,220 vulnerability so if I get root on that 851 00:31:40,559 --> 00:31:46,080 host that the worst that can happen is 852 00:31:43,220 --> 00:31:48,840 basically I can run commands on that 853 00:31:46,080 --> 00:31:51,240 host but 854 00:31:48,840 --> 00:31:53,279 if we go if we are able to somehow 855 00:31:51,240 --> 00:31:55,140 exploit the terminal bug can we go back 856 00:31:53,279 --> 00:31:57,840 and back and run commands on that client 857 00:31:55,140 --> 00:31:59,700 well 858 00:31:57,840 --> 00:32:01,980 um I'm just going to show this so we've 859 00:31:59,700 --> 00:32:03,419 got a victim up here this is this is 860 00:32:01,980 --> 00:32:05,700 just running as the same user on the 861 00:32:03,419 --> 00:32:08,640 same machine for the for the sake of the 862 00:32:05,700 --> 00:32:11,039 demo but imagine that this someone has 863 00:32:08,640 --> 00:32:13,140 compromised this host down here so 864 00:32:11,039 --> 00:32:14,760 somehow they're able to write something 865 00:32:13,140 --> 00:32:17,640 into that terminal so this is normal 866 00:32:14,760 --> 00:32:21,360 Unix permissions so either their route 867 00:32:17,640 --> 00:32:23,460 or they somehow can write to that 868 00:32:21,360 --> 00:32:25,860 um so we run something called a 869 00:32:23,460 --> 00:32:28,260 disconnect attack and as you see here 870 00:32:25,860 --> 00:32:30,179 that that disconnected them 871 00:32:28,260 --> 00:32:32,580 and then you run a command so how it 872 00:32:30,179 --> 00:32:35,640 works is actually quite simple it stops 873 00:32:32,580 --> 00:32:38,039 the shell up here and then it prints a 874 00:32:35,640 --> 00:32:41,039 command that will result in running some 875 00:32:38,039 --> 00:32:42,840 things and then it just kills the shell 876 00:32:41,039 --> 00:32:44,700 um so 877 00:32:42,840 --> 00:32:46,320 yes it's possible there's there's 878 00:32:44,700 --> 00:32:49,140 actually a bunch of attacks that are 879 00:32:46,320 --> 00:32:50,399 possible if you essentially stop the 880 00:32:49,140 --> 00:32:51,240 terminal 881 00:32:50,399 --> 00:32:52,679 um 882 00:32:51,240 --> 00:32:54,960 because then 883 00:32:52,679 --> 00:32:56,340 it's writing something but it's because 884 00:32:54,960 --> 00:32:58,080 of buffering it's not necessarily 885 00:32:56,340 --> 00:32:59,220 written straight back 886 00:32:58,080 --> 00:33:00,899 um 887 00:32:59,220 --> 00:33:03,120 it just so happens that this one works 888 00:33:00,899 --> 00:33:04,679 really simply to exploit some of these 889 00:33:03,120 --> 00:33:07,140 it's a bit more complicated like you'll 890 00:33:04,679 --> 00:33:08,760 need to send like a buffer like eight 891 00:33:07,140 --> 00:33:10,799 kilobytes worth of text or something but 892 00:33:08,760 --> 00:33:12,779 generally various various things are 893 00:33:10,799 --> 00:33:13,440 possible 894 00:33:12,779 --> 00:33:15,960 um 895 00:33:13,440 --> 00:33:17,580 so yeah that that means that when when 896 00:33:15,960 --> 00:33:19,260 we say these these can lead to remote 897 00:33:17,580 --> 00:33:21,539 code execution they really can lead to 898 00:33:19,260 --> 00:33:25,080 remote code execution not just typing 899 00:33:21,539 --> 00:33:27,059 stuff on your on your local system 900 00:33:25,080 --> 00:33:29,220 so hopefully I've convinced you that 901 00:33:27,059 --> 00:33:31,340 escaping is needed 902 00:33:29,220 --> 00:33:31,340 um 903 00:33:32,399 --> 00:33:38,880 basically yeah writing untrusted uh 904 00:33:36,059 --> 00:33:39,899 output to a terminal is bad 905 00:33:38,880 --> 00:33:41,159 um 906 00:33:39,899 --> 00:33:43,320 this has been known about for a long 907 00:33:41,159 --> 00:33:45,600 time in C you can ask for a particular 908 00:33:43,320 --> 00:33:48,659 character is it printable or for a wide 909 00:33:45,600 --> 00:33:50,720 character is it wide printable 910 00:33:48,659 --> 00:33:50,720 um 911 00:33:50,840 --> 00:33:54,779 lots of bits of code don't bother with 912 00:33:53,039 --> 00:33:57,600 this so it's kind of trivial to find 913 00:33:54,779 --> 00:33:58,380 security issues here so 914 00:33:57,600 --> 00:34:00,419 um 915 00:33:58,380 --> 00:34:02,279 go is actually a bit better 916 00:34:00,419 --> 00:34:03,720 um there's a quite nice thing in the 917 00:34:02,279 --> 00:34:05,940 format package and go where you can use 918 00:34:03,720 --> 00:34:08,099 percent cues so it will output a quoted 919 00:34:05,940 --> 00:34:09,480 string in go form 920 00:34:08,099 --> 00:34:11,820 um 921 00:34:09,480 --> 00:34:13,440 and that yeah that uses the same rules 922 00:34:11,820 --> 00:34:17,040 the literal string would so that's 923 00:34:13,440 --> 00:34:18,720 that's quite nice and quite simple you 924 00:34:17,040 --> 00:34:20,220 can also use the Unicode is graphic 925 00:34:18,720 --> 00:34:21,359 thing 926 00:34:20,220 --> 00:34:23,280 um 927 00:34:21,359 --> 00:34:25,740 but yeah so 928 00:34:23,280 --> 00:34:27,780 an important thing here is awareness 929 00:34:25,740 --> 00:34:29,879 um I kind of mean awareness for users 930 00:34:27,780 --> 00:34:32,220 and developers so as we saw with cat 931 00:34:29,879 --> 00:34:34,980 it's very simple to potentially attack 932 00:34:32,220 --> 00:34:36,780 someone without them really realizing if 933 00:34:34,980 --> 00:34:38,460 someone's got a terminal exploit even 934 00:34:36,780 --> 00:34:40,440 without a terminal exploit as I showed 935 00:34:38,460 --> 00:34:43,919 you can potentially output something 936 00:34:40,440 --> 00:34:45,839 that is different to what will run I'll 937 00:34:43,919 --> 00:34:47,179 cover one more thing about those in a 938 00:34:45,839 --> 00:34:50,099 moment 939 00:34:47,179 --> 00:34:51,419 but like anything with security part of 940 00:34:50,099 --> 00:34:52,980 it is awareness and then part of it is 941 00:34:51,419 --> 00:34:55,139 actually implementing defenses against 942 00:34:52,980 --> 00:34:57,000 these things so 943 00:34:55,139 --> 00:34:59,400 escaping is important 944 00:34:57,000 --> 00:35:01,140 but another interesting thing is we can 945 00:34:59,400 --> 00:35:02,820 actually mitigate some of this ourselves 946 00:35:01,140 --> 00:35:04,680 so 947 00:35:02,820 --> 00:35:07,460 these Escape sequences when we get the 948 00:35:04,680 --> 00:35:09,900 reply to them actually have 949 00:35:07,460 --> 00:35:12,540 some characters around them so they have 950 00:35:09,900 --> 00:35:14,220 like I showed the font extern responds 951 00:35:12,540 --> 00:35:15,720 with the same thing it responds with the 952 00:35:14,220 --> 00:35:18,900 control sequence you would use to set 953 00:35:15,720 --> 00:35:22,380 the font when you query what the font is 954 00:35:18,900 --> 00:35:24,780 um so zsh is quite nice because it's 955 00:35:22,380 --> 00:35:26,760 it's line editor which is the equivalent 956 00:35:24,780 --> 00:35:28,320 to read line is programmable 957 00:35:26,760 --> 00:35:29,940 so 958 00:35:28,320 --> 00:35:32,820 um this is a very simple 959 00:35:29,940 --> 00:35:34,380 um zle function that says skip osc 960 00:35:32,820 --> 00:35:37,140 sequence 961 00:35:34,380 --> 00:35:39,060 um so basically it says reading all the 962 00:35:37,140 --> 00:35:41,700 input and just don't do anything with it 963 00:35:39,060 --> 00:35:46,200 and then you bind that to the key that 964 00:35:41,700 --> 00:35:48,900 is used for operating system commands so 965 00:35:46,200 --> 00:35:50,400 if I then hopefully 966 00:35:48,900 --> 00:35:54,680 that should all be already be running 967 00:35:50,400 --> 00:35:57,720 okay so I've now implemented that in zsh 968 00:35:54,680 --> 00:35:59,579 so now if I do that 969 00:35:57,720 --> 00:36:02,880 you see it did resize the terminal and 970 00:35:59,579 --> 00:36:04,740 it wrote some garbage down there but as 971 00:36:02,880 --> 00:36:07,380 many times I run that 972 00:36:04,740 --> 00:36:10,020 that actually can't be exploited now so 973 00:36:07,380 --> 00:36:11,359 we actually can potentially do things to 974 00:36:10,020 --> 00:36:13,619 make this better 975 00:36:11,359 --> 00:36:17,400 obviously we should fix the terminals as 976 00:36:13,619 --> 00:36:20,220 well but defense in depth is possible 977 00:36:17,400 --> 00:36:22,560 um and the other interesting thing is 978 00:36:20,220 --> 00:36:24,240 the ANSI standard is a bit vague and it 979 00:36:22,560 --> 00:36:25,619 doesn't really have any definitions of 980 00:36:24,240 --> 00:36:26,940 what to do in error handling it just 981 00:36:25,619 --> 00:36:27,839 says this is outside of the scope of the 982 00:36:26,940 --> 00:36:29,880 standard 983 00:36:27,839 --> 00:36:31,859 so what people have started to do is 984 00:36:29,880 --> 00:36:35,460 actually implement the same error 985 00:36:31,859 --> 00:36:37,740 handling and cases as the original deck 986 00:36:35,460 --> 00:36:40,260 terminals did and like I said the vt100 987 00:36:37,740 --> 00:36:43,260 is a de facto standard and people have 988 00:36:40,260 --> 00:36:45,960 sort of decided yeah okay we might not 989 00:36:43,260 --> 00:36:48,780 agree with every single thing it did but 990 00:36:45,960 --> 00:36:51,240 um it's good to basically copy it and 991 00:36:48,780 --> 00:36:53,820 HTML has learned this too so somewhere 992 00:36:51,240 --> 00:36:55,920 deep in the HTML spec on parsing it says 993 00:36:53,820 --> 00:36:57,660 basically you have to implement the 994 00:36:55,920 --> 00:36:59,220 exact error handling we implemented here 995 00:36:57,660 --> 00:37:00,900 because if you implement something 996 00:36:59,220 --> 00:37:02,700 different that can lead to a cross-site 997 00:37:00,900 --> 00:37:04,320 scripting attack and it's kind of the 998 00:37:02,700 --> 00:37:06,300 same with terminals it's not really as 999 00:37:04,320 --> 00:37:08,400 quite as critical because like I've 1000 00:37:06,300 --> 00:37:09,660 shown you actually need a clear bug in 1001 00:37:08,400 --> 00:37:12,240 the terminal for this to be a problem 1002 00:37:09,660 --> 00:37:13,880 but we can do better with defense in 1003 00:37:12,240 --> 00:37:16,560 depth as well 1004 00:37:13,880 --> 00:37:19,560 and I haven't got a link to it here but 1005 00:37:16,560 --> 00:37:22,260 on vt100 now there's a lot of resources 1006 00:37:19,560 --> 00:37:25,140 about deck Terminals and one of them is 1007 00:37:22,260 --> 00:37:28,920 a reverse engineered State diagram for 1008 00:37:25,140 --> 00:37:31,260 what the deck parser does so various 1009 00:37:28,920 --> 00:37:33,060 terminals do Implement that and I found 1010 00:37:31,260 --> 00:37:35,339 a vulnerability in a particular terminal 1011 00:37:33,060 --> 00:37:36,599 that wasn't as bad as one of any of the 1012 00:37:35,339 --> 00:37:38,280 ones I've shown because it correctly 1013 00:37:36,599 --> 00:37:40,800 implemented that state machine so there 1014 00:37:38,280 --> 00:37:43,140 was no way to get extra characters into 1015 00:37:40,800 --> 00:37:44,940 the input 1016 00:37:43,140 --> 00:37:46,800 um it's also worth mentioning that there 1017 00:37:44,940 --> 00:37:48,359 are other attacks related to this so 1018 00:37:46,800 --> 00:37:51,300 Trojan Source was something that came 1019 00:37:48,359 --> 00:37:53,640 out about this time last year I think 1020 00:37:51,300 --> 00:37:55,619 um and that basically is you can use 1021 00:37:53,640 --> 00:37:59,040 Unicode characters such as right to left 1022 00:37:55,619 --> 00:38:00,839 override to hide things in source code 1023 00:37:59,040 --> 00:38:02,640 um and similar things are possible with 1024 00:38:00,839 --> 00:38:05,880 these terminal tricks 1025 00:38:02,640 --> 00:38:08,579 um so that they're all kind of related 1026 00:38:05,880 --> 00:38:10,020 um so in summary history repeats itself 1027 00:38:08,579 --> 00:38:14,040 because nobody listens so that the X 1028 00:38:10,020 --> 00:38:16,500 term CV repeated itself the title bug 1029 00:38:14,040 --> 00:38:19,560 from 2003 was already existing in 1030 00:38:16,500 --> 00:38:21,540 another terminal so some of these 1031 00:38:19,560 --> 00:38:22,560 almost too trivial to find and I think 1032 00:38:21,540 --> 00:38:23,640 that's actually one of the reason that 1033 00:38:22,560 --> 00:38:25,200 people hadn't looked at these as 1034 00:38:23,640 --> 00:38:27,480 security researchers because actually 1035 00:38:25,200 --> 00:38:29,579 like that wouldn't exist right that's 1036 00:38:27,480 --> 00:38:30,839 too too trivial but but it turns out 1037 00:38:29,579 --> 00:38:31,500 they did 1038 00:38:30,839 --> 00:38:32,940 um 1039 00:38:31,500 --> 00:38:34,980 they're actually kind of rare as well 1040 00:38:32,940 --> 00:38:37,619 like you get web browser updates like 1041 00:38:34,980 --> 00:38:40,920 every week about some new new thing that 1042 00:38:37,619 --> 00:38:42,720 somehow can be exploited there are fewer 1043 00:38:40,920 --> 00:38:44,400 of these in terminals 1044 00:38:42,720 --> 00:38:45,960 um but as I've shown they can be very 1045 00:38:44,400 --> 00:38:47,940 dangerous 1046 00:38:45,960 --> 00:38:51,180 um and yeah everyone needs to consider 1047 00:38:47,940 --> 00:38:52,800 whether they should do escaping or what 1048 00:38:51,180 --> 00:38:54,660 what they should do when they're 1049 00:38:52,800 --> 00:38:56,760 printing anything so you know anytime 1050 00:38:54,660 --> 00:38:58,680 you write printf in a program or 1051 00:38:56,760 --> 00:39:00,000 whatever your language uses you might 1052 00:38:58,680 --> 00:39:02,400 actually have to think about that a bit 1053 00:39:00,000 --> 00:39:04,980 more did it come from untrusted input 1054 00:39:02,400 --> 00:39:06,540 and you know as a security person I 1055 00:39:04,980 --> 00:39:09,720 often say where's you know untrusted 1056 00:39:06,540 --> 00:39:12,540 input and things like that so yeah 1057 00:39:09,720 --> 00:39:14,400 um everyone has to be careful 1058 00:39:12,540 --> 00:39:15,720 um so that's that's all I've got 1059 00:39:14,400 --> 00:39:17,760 um thank you 1060 00:39:15,720 --> 00:39:19,980 um if you follow me on Macedon over 1061 00:39:17,760 --> 00:39:22,260 there I will I'll later post a link to 1062 00:39:19,980 --> 00:39:24,720 the docker image I showed with those 1063 00:39:22,260 --> 00:39:26,339 exploits and how to recreate those and 1064 00:39:24,720 --> 00:39:28,380 potentially test if your terminal is 1065 00:39:26,339 --> 00:39:31,160 vulnerable 1066 00:39:28,380 --> 00:39:31,160 um so thank you 1067 00:39:33,920 --> 00:39:39,980 [Applause] 1068 00:39:36,359 --> 00:39:39,980 does anyone have any questions for David 1069 00:39:44,339 --> 00:39:48,180 thanks for putting me in absolute fear 1070 00:39:46,800 --> 00:39:50,880 of my terminal 1071 00:39:48,180 --> 00:39:52,680 um you say at the end that uh they're 1072 00:39:50,880 --> 00:39:54,839 thankfully rare 1073 00:39:52,680 --> 00:39:56,280 um is there anything actually reason to 1074 00:39:54,839 --> 00:39:57,720 believe that that's true because we 1075 00:39:56,280 --> 00:39:59,579 thought that side Channel attacks in 1076 00:39:57,720 --> 00:40:01,020 CPUs were rare until someone found one 1077 00:39:59,579 --> 00:40:02,339 and then everyone started looking for 1078 00:40:01,020 --> 00:40:04,500 them and we found out that they're not 1079 00:40:02,339 --> 00:40:07,500 rare is this just a case of not looking 1080 00:40:04,500 --> 00:40:09,660 or yes I think it's partly a case of not 1081 00:40:07,500 --> 00:40:11,520 looking but also terminals are actually 1082 00:40:09,660 --> 00:40:14,040 quite a small piece of source code right 1083 00:40:11,520 --> 00:40:15,720 so I I'm fairly confident of some of the 1084 00:40:14,040 --> 00:40:17,880 ones that I've looked at that there 1085 00:40:15,720 --> 00:40:19,680 aren't any other bugs so in particular 1086 00:40:17,880 --> 00:40:21,599 things like replying 1087 00:40:19,680 --> 00:40:23,040 most most terminals only have about 10 1088 00:40:21,599 --> 00:40:24,599 different replies they can give and it's 1089 00:40:23,040 --> 00:40:26,700 very it's very easy to read every single 1090 00:40:24,599 --> 00:40:28,859 one of them does that have a problem 1091 00:40:26,700 --> 00:40:30,599 um potentially more interesting as some 1092 00:40:28,859 --> 00:40:32,760 of the other ones that you know involve 1093 00:40:30,599 --> 00:40:35,339 buffer overflows and things those are 1094 00:40:32,760 --> 00:40:36,900 those are harder to be sure about but 1095 00:40:35,339 --> 00:40:38,400 um especially when you know it involves 1096 00:40:36,900 --> 00:40:40,200 fonts and it might actually be a bug in 1097 00:40:38,400 --> 00:40:41,220 Cairo or one of the underlying libraries 1098 00:40:40,200 --> 00:40:42,960 so 1099 00:40:41,220 --> 00:40:45,060 I still think they're rarer there's a 1100 00:40:42,960 --> 00:40:47,220 much smaller surface area in a terminal 1101 00:40:45,060 --> 00:40:49,619 than there is a web browser but yes you 1102 00:40:47,220 --> 00:40:51,540 I don't have data to prove that other 1103 00:40:49,619 --> 00:40:53,300 than you know going back and looking at 1104 00:40:51,540 --> 00:40:55,440 number of cves in web browsers versus 1105 00:40:53,300 --> 00:40:57,000 terminals or such 1106 00:40:55,440 --> 00:40:58,440 so kind of following on from that 1107 00:40:57,000 --> 00:41:00,180 there's a project I think called 1108 00:40:58,440 --> 00:41:01,980 carbonyl but I'm probably pronouncing it 1109 00:41:00,180 --> 00:41:05,040 wrong which implements a version of 1110 00:41:01,980 --> 00:41:06,300 Chrome that runs in a web browser have 1111 00:41:05,040 --> 00:41:10,560 you heard of that one do you have any 1112 00:41:06,300 --> 00:41:14,099 thoughts on that as a test in a terminal 1113 00:41:10,560 --> 00:41:16,740 so it renders HTML and CSS into into a 1114 00:41:14,099 --> 00:41:18,480 terminal yeah I have come across that I 1115 00:41:16,740 --> 00:41:19,920 can't remember where it's but yeah it's 1116 00:41:18,480 --> 00:41:21,240 probably using sex cell or something 1117 00:41:19,920 --> 00:41:25,099 like that 1118 00:41:21,240 --> 00:41:25,099 so yeah it's it's possible 1119 00:41:25,260 --> 00:41:28,099 I was wondering 1120 00:41:29,220 --> 00:41:33,720 um 1121 00:41:30,420 --> 00:41:34,920 so what the the smallest code base so 1122 00:41:33,720 --> 00:41:36,540 there's if you're familiar question 1123 00:41:34,920 --> 00:41:39,599 there was was there any particular 1124 00:41:36,540 --> 00:41:41,220 terminals that you would recommend 1125 00:41:39,599 --> 00:41:42,060 um so yeah the smaller the code base the 1126 00:41:41,220 --> 00:41:44,099 better 1127 00:41:42,060 --> 00:41:45,720 um 1128 00:41:44,099 --> 00:41:47,820 I think if you're familiar there's a 1129 00:41:45,720 --> 00:41:51,720 project called suck less and they they 1130 00:41:47,820 --> 00:41:53,460 release a terminal called St or um it's 1131 00:41:51,720 --> 00:41:55,859 like the shortest code base ever it just 1132 00:41:53,460 --> 00:41:58,460 has no features so it's the usual 1133 00:41:55,859 --> 00:41:58,460 trade-off right 1134 00:41:59,220 --> 00:42:04,140 anybody else 1135 00:42:01,200 --> 00:42:06,599 all right thank you David and we have a 1136 00:42:04,140 --> 00:42:07,380 little gift here for you thank you very 1137 00:42:06,599 --> 00:42:09,260 much 1138 00:42:07,380 --> 00:42:12,440 and you're looking after us 1139 00:42:09,260 --> 00:42:12,440 thank you