Date: Mon, 1 May 2017 18:44:28 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: terminal emulators' processing of escape sequences

Hi,

It is a well-known feature, previously discussed in here, that data
printed to a terminal (emulator) may control that terminal, including
making it effectively unusable until reset, and in some cases even
pasting characters as if they were typed by the user.  Also as discussed
what characters may be pasted varies by terminal - sometimes they can be
arbitrary (e.g., if the terminal supports macro recording and playback
via escape sequences) and sometimes not so (like a terminal reporting
back its status, usually not followed by a linefeed, so not yet
executing a shell command until further user assistance).  Here are some
relevant threads:

http://www.openwall.com/lists/oss-security/2015/08/11/8
http://www.openwall.com/lists/oss-security/2015/09/17/5
http://www.openwall.com/lists/oss-security/2016/11/04/12

(I link to messages that started these threads, not necessarily to most
informative messages in the threads.  So you might want to go through
the threads with the "thread-next" links.)

Besides (mis)features, there may also be implementation bugs.  A couple
of weeks ago, I brought in here vulnerabilities in terminal escape
handling in minicom and prl-vzvncserver (both already fixed in latest
versions by then):

http://www.openwall.com/lists/oss-security/2017/04/18/5

I already knew this wouldn't be the end of the story as some other
terminal emulators exhibited suspicious behavior when targeted with
streams of unusual escape sequences involving large or negative integer
parameters.  I sent the following to the distros list on April 17,
presented here with updates reflecting the current status.

[continues]

References:

https://www.openwall.com/lists/oss-security/2017/05/01/13

Recent exploit:

https://www.openwall.com/lists/oss-security/2021/05/17/1