Terminal escape sequences – the new XSS for Linux sysadmins

Posted . Visible to the public.

Article shows how to make a script that fakes one kind of content when printed with cat, but uses different code when executed:

$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh

$ chmod +x backdoor.sh

$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!

$ ./backdoor.sh
doing something evil!
ma.ttias.be
Henning Koch
makandra.de
Say thanks1
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra dev (2015-09-25 12:55)
This website uses short-lived cookies to improve usability.
or learn more