Page MenuHomePhabricator
Create Task
Maniphest T8243

Escape console output more thoroughly
Open, LowPublic
Actions

Description

Attackers can create things like tasks which have console escape codes in their names. When displayed on the console via a command like arc list or arc tasks, these strings may be annoying (bell characters), misleading (rewrite parts of the console) or otherwise confusing/mischievous. It is vaguely possible that a malicious attacker could come up with some creative way to be legitimately abusive here rather than merely clever/annoying, although this is probably not substantially different from allowing unicode combining characters, RTL codes, zero-width spaces, etc., in practical effect. If nothing else, this behavior is not desirable or expected.

We should make phutil_console_format() more aggressive about escaping conversions, and probably expose it via an explicit xsprintf() interface to make its use easier and more consistent. The state of console printing is generally less rigorous and abstracted than other string handling, anyway.

See T4472 for a similar primarily-hypothetical escaping issue.

Revisions and Commits

rPHU libphutil
D14136rPHU50d5e4939928 Introduce PhutilConsoleView for rendering elements to the console
D12966rPHU4e0febf56d83 Introduce tsprintf(), for escaping terminal output

Related Objects

Event Timeline

epriestley created this task.May 18 2015, 5:54 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added a project: Infrastructure.
epriestley added a subscriber: epriestley.
joshuaspence added a subscriber: joshuaspence.May 18 2015, 8:32 PM
Erethon added a subscriber: Erethon.May 18 2015, 11:38 PM

There is an excellent paper by H D Moore [1] on the subject of security in
terminal emulators regarding control characters. After reading it, I got
inspired and created a couple of proof of concept 'attacks'.

This is a way to create a task with a name that when viewed through arc tasks
will show a fake Task ID, e.g., T11.

arc todo $(echo -en "\b\b\b\b\033[1mT11\033[0m This is a fake task")

Here is a screenshot showing the output. The real Task ID was T62.

phabc.jpg (511×670 px, 50 KB)

The PoC below, depending on the term used, will change the title of the
terminal emulator. I've tested this on xterm/aterm/eterm and seems to work.
Depending on the terminal emulator used (and the version of it) more dangerous
injections might be possible.

arc todo $(echo -e "\e]2;This is the new window title\a")

[1]: https://marc.info/?l=bugtraq&m=104612710031920

epriestley added a revision: D12966: Introduce tsprintf(), for escaping terminal output.May 21 2015, 3:23 PM
epriestley added a commit: rPHU4e0febf56d83: Introduce tsprintf(), for escaping terminal output.May 24 2015, 1:37 PM
epriestley added a revision: D14136: Introduce PhutilConsoleView for rendering elements to the console.Sep 21 2015, 6:30 PM
epriestley added a commit: rPHU50d5e4939928: Introduce PhutilConsoleView for rendering elements to the console.Sep 21 2015, 7:39 PM
epriestley mentioned this in T9455: Arc meaninglessly prompts users to amend changes in submodules into parent repositories.Sep 21 2015, 7:42 PM
epriestley added a comment.Sep 21 2015, 7:47 PM

Although we still have a long way to go here, after D14136 the result of the sequence of steps above is a little better:

Screen Shot 2015-09-21 at 12.46.31 PM.png (211×789 px, 47 KB)

alexmv mentioned this in T12784: Allow color escapes in PhutilConsoleTable rendering.Jun 1 2017, 3:35 AM
Phabricator · Built by Phacility