Terminally Owned - 60 years of escaping

Presented at DEF CON 31 (2023), Aug. 13, 2023, noon (45 minutes)

It is 60 years since the first publication of the ASCII standard, something we now very much take for granted. ASCII introduced the Escape character; something we still use but maybe don't think about very much. The terminal is a tool all of us use. It's a way to interact with nearly every modern operating system. Underneath it uses escape codes defined in standards, some of which date back to the 1970s. Like anything which deals with untrusted user input, it has an attack surface. 20 years ago HD Moore wrote a paper on terminal vulnerabilities, finding multiple CVEs in the process. I decided it was time to revisit this class of vulnerability. In this talk I'll look at the history of terminals and then detail the issues I found in half a dozen different terminals. Even Microsoft who historically haven't had strong terminal support didn't escape a CVE. In order to exploit these vulnerabilities they often need to be combined with a vulnerability in something else. I'll cover how to exploit these vulnerabilities in multiple ways. Overall this research found multiple remote code execution vulnerabilities across nearly all platforms and new unique ways to deliver the exploits. REFERENCES: Key citations: - HD Moore, 2003, "Terminal Emulator Security Issues"; https://marc.info/?l=bugtraq&m=104612710031920&w=2 - Eviatar Gerzi, 2022; "Don't Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters" https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-title-abusing-terminal-emulators-with-ansi-escape-characters - Phrack, 1994, #46 file 4 "Line Noise" - flash.c; http://phrack.org/issues/46/4.html - Mitre; CWE-150; https://cwe.mitre.org/data/definitions/150.html - Paul Szabo, 2008, CVE-2008-2383; https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 Other interesting sources: - Nicholas Boucher and Ross Anderson, 2021, "Trojan Source: Invisible Vulnerabilities"; https://trojansource.codes/ - Thomas Dickey, 2023, "XTerm Control Sequences"; https://invisible-island.net/xterm/ctlseqs/ctlseqs.html - Bob Bemer, "That Powerful ESCAPE Character", https://web.archive.org/web/20010411103243/http://www.bobbemer.com/ESCAPE.HTM - Lear Siegler, 1979, "ADM-3A Operator's Manual"; https://vt100.net/lsi/adm3a-om.pdf - Digital Equipment Corporation, 1994, "VT520/VT525 Video Terminal Programmer Information"; http://web.mit.edu/dosathena/doc/www/ek-vt520-rm.pdf - Paul Flo Williams, "A parser for DEC's ANSI-compatible video terminals." VT100.net; https://vt100.net/emu/dec_ansi_parser - Konstantinos Foutzopoulos, 2021, "Sixel for terminal graphics"; https://konfou.xyz/posts/sixel-for-terminal-graphics/ - https://agimcami.files.wordpress.com/2019/07/control-characters-in-ascii-and-unicode-aivisto-com.pdf, unknown origin, but good references - Unicode Consortium, Mark Davis et al., 2014; Unicode Technical Report #36; https://unicode.org/reports/tr36/ - Unicode Consortium, Robin Leroy, et al., 2023; Draft Unicode Technical Standard #55; https://www.unicode.org/reports/tr55/ My posts to oss-security so far: - rxvt-unicode CVE-2022-4170; https://www.openwall.com/lists/oss-security/2022/12/05/1 - xterm CVE-2022-45063; https://www.openwall.com/lists/oss-security/2022/11/10/1 - less CVE-2022-46663; https://www.openwall.com/lists/oss-security/2023/02/07/7

Presenters:

• David Leadbeater - Open Source Engineer at G-Research
  He aims to find more CVEs than he creates and is currently succeeding.

Links:

• https://forum.defcon.org/node/245741

Similar Presentations:

• DEF CON 31 (2023) / Visual Studio Code is why I have (Workspace) Trust issues
• DEF CON 31 (2023) / Legend of Zelda: Use After Free (TASBot glitches the future into OoT)
• DEF CON 29 (2021) / Rotten code, aging standards, & pwning IPv4 parsing across nearly every mainstream programming language