Is using 'echo' to display attacker-controlled data on the terminal dangerous?Is it possible to use the Linux “echo” command maliciously?Why does printf() vulnerability require 4-bytes of junk data? - “Hacking: The Art of Exploitation”iOS Unicode Notification BugHow dangerous is the remote Jeep Cherokee attack?How does text that is displayed with cat end up trying to execute in the Linux terminal?Is the unauthorized deletion of data considered a breach of integrity or availability?Using data URIs to perform XSS in anchor tags - vulnerability?The requirements of gathering information data without any limits?Is it possible to get data from database server if you are on the application server?How secure is a serial/terminal/console server, from the serial side?In some situation can be dangerous to echo command (e.g. rm -rf *) using a script?

Fermat's statement about the ancients: How serious was he?

How did old MS-DOS games utilize various graphic cards?

Does the Long March-11 increase its thrust after clearing the launch tower?

Who are the Missing Members of this Noble Family?

Thread Pool C++ Implementation

Artificer Creativity

Has there been a multiethnic Star Trek character?

Is it legal for a bar bouncer to confiscate a fake ID

Check if three arrays contains the same element

How to trick the reader into thinking they're following a redshirt instead of the protagonist?

Someone whose aspirations exceed abilities or means

Why does Sin[b-a] simplify to -Sin[a-b]?

What ways have you found to get edits from non-LaTeX users?

Traversing Oceania: A Cryptic Journey

Can I utilise a baking stone to make crepes?

Why didn't Voldemort recognize that Dumbledore was affected by his curse?

Wooden cooking layout

Why 1,2 printed by a command in $() is not interpolated?

What aircraft was used as Air Force One for the flight between Southampton and Shannon?

ed command: Delete from line 1 until the first blank line

How is the excise border managed in Ireland?

bmatrix: how to align elements' subscripts?

Overlapping String-Blocks

Generate basis elements of the Steenrod algebra



Is using 'echo' to display attacker-controlled data on the terminal dangerous?


Is it possible to use the Linux “echo” command maliciously?Why does printf() vulnerability require 4-bytes of junk data? - “Hacking: The Art of Exploitation”iOS Unicode Notification BugHow dangerous is the remote Jeep Cherokee attack?How does text that is displayed with cat end up trying to execute in the Linux terminal?Is the unauthorized deletion of data considered a breach of integrity or availability?Using data URIs to perform XSS in anchor tags - vulnerability?The requirements of gathering information data without any limits?Is it possible to get data from database server if you are on the application server?How secure is a serial/terminal/console server, from the serial side?In some situation can be dangerous to echo command (e.g. rm -rf *) using a script?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








7















Imagine the following code:



ATTACKERDATA="$(cat attackerControlledFile.txt)"
echo "$ATTACKERDATA"


An attacker can, through whatever arbitrary process, modify the contents of attackerControlledFile.txt to anything they desire. The content can be ASCII, UTF-8, Binary, etc. Anything is fine. The machine also assumes that it is infinitely fast, so even an extremely large file of multiple terrabytes would be read and printed immediately.



Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



  • This code only works in bash

  • This code requires the output to be printed onto a specific terminal emulator

  • Etc.

Everything else assumes a reasonably sane system. This means that answers such as "If echo is an attacker-controlled binary that's actually malware" does not count, as the existence of malware is not exactly "reasonably sane". Answers that would require a specific software or version of that software to be present do count, as long as that software was not made for the purpose of exploitation.



A similar question asks Is it possible to use the Linux “echo” command maliciously?, but the accepted answer is actually about a flaw in the design of a web application. Furthermore, it requires the attacker to be able to do redirects, which as far as I know, this construct cannot do.






vulnerability bash







share|improve this question
























  • what if it's a million bells? while not dangerous, it's certainly annoying...

    – dandavis
    3 hours ago

















7















Imagine the following code:



ATTACKERDATA="$(cat attackerControlledFile.txt)"
echo "$ATTACKERDATA"


An attacker can, through whatever arbitrary process, modify the contents of attackerControlledFile.txt to anything they desire. The content can be ASCII, UTF-8, Binary, etc. Anything is fine. The machine also assumes that it is infinitely fast, so even an extremely large file of multiple terrabytes would be read and printed immediately.



Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



  • This code only works in bash

  • This code requires the output to be printed onto a specific terminal emulator

  • Etc.

Everything else assumes a reasonably sane system. This means that answers such as "If echo is an attacker-controlled binary that's actually malware" does not count, as the existence of malware is not exactly "reasonably sane". Answers that would require a specific software or version of that software to be present do count, as long as that software was not made for the purpose of exploitation.



A similar question asks Is it possible to use the Linux “echo” command maliciously?, but the accepted answer is actually about a flaw in the design of a web application. Furthermore, it requires the attacker to be able to do redirects, which as far as I know, this construct cannot do.






vulnerability bash







share|improve this question
























  • what if it's a million bells? while not dangerous, it's certainly annoying...

    – dandavis
    3 hours ago













7












7








7








Imagine the following code:



ATTACKERDATA="$(cat attackerControlledFile.txt)"
echo "$ATTACKERDATA"


An attacker can, through whatever arbitrary process, modify the contents of attackerControlledFile.txt to anything they desire. The content can be ASCII, UTF-8, Binary, etc. Anything is fine. The machine also assumes that it is infinitely fast, so even an extremely large file of multiple terrabytes would be read and printed immediately.



Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



  • This code only works in bash

  • This code requires the output to be printed onto a specific terminal emulator

  • Etc.

Everything else assumes a reasonably sane system. This means that answers such as "If echo is an attacker-controlled binary that's actually malware" does not count, as the existence of malware is not exactly "reasonably sane". Answers that would require a specific software or version of that software to be present do count, as long as that software was not made for the purpose of exploitation.



A similar question asks Is it possible to use the Linux “echo” command maliciously?, but the accepted answer is actually about a flaw in the design of a web application. Furthermore, it requires the attacker to be able to do redirects, which as far as I know, this construct cannot do.






vulnerability bash







share|improve this question
















Imagine the following code:



ATTACKERDATA="$(cat attackerControlledFile.txt)"
echo "$ATTACKERDATA"


An attacker can, through whatever arbitrary process, modify the contents of attackerControlledFile.txt to anything they desire. The content can be ASCII, UTF-8, Binary, etc. Anything is fine. The machine also assumes that it is infinitely fast, so even an extremely large file of multiple terrabytes would be read and printed immediately.



Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



  • This code only works in bash

  • This code requires the output to be printed onto a specific terminal emulator

  • Etc.

Everything else assumes a reasonably sane system. This means that answers such as "If echo is an attacker-controlled binary that's actually malware" does not count, as the existence of malware is not exactly "reasonably sane". Answers that would require a specific software or version of that software to be present do count, as long as that software was not made for the purpose of exploitation.



A similar question asks Is it possible to use the Linux “echo” command maliciously?, but the accepted answer is actually about a flaw in the design of a web application. Furthermore, it requires the attacker to be able to do redirects, which as far as I know, this construct cannot do.






vulnerability bash




vulnerability bash






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 8 hours ago







MechMK1

















asked 9 hours ago









MechMK1MechMK1

3,06211033




3,06211033












  • what if it's a million bells? while not dangerous, it's certainly annoying...

    – dandavis
    3 hours ago

















  • what if it's a million bells? while not dangerous, it's certainly annoying...

    – dandavis
    3 hours ago
















what if it's a million bells? while not dangerous, it's certainly annoying...

– dandavis
3 hours ago





what if it's a million bells? while not dangerous, it's certainly annoying...

– dandavis
3 hours ago










3 Answers
3






active

oldest

votes


















9















Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



This code requires the output to be printed onto a specific terminal emulator




In fact, yes. Old terminals like vt100 have the ability to use ANSI escape sequences to do special things, like execute commands. The following site below documents this ability using a simple echo, like you describe.



https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/



The article is in depth with specific exploit instructions, but the general idea can be summarized from this excerpt from the site:




Dangerous Escape Sequences
Terminal emulators support multiple features as described below [8]:



  • Screen Dumping: a screen dump escape sequence will open arbitrary file and write the current content of the terminal into the file. Some terminal emulators will not write to existing files, but only to new files, while others will simply overwrite the file with the new contents. An attacker might use this feature to create a new backdoor PHP file in the DocumentRoot of the web server, which can later be used to execute arbitrary commands.


  • Window Title: an escape sequence exists for setting the window title, which will change the window title string. This feature can be used together with another escape sequence, which reads the current window title and prints it to the current command line. Since a carriage return character is prohibited in the window title, an attacker can store the command in a window title and print it to the current command line, but it would still require a user to press enter in order to execute it. There are techniques for making the command invisible, like setting the text color to the same color as the background, which increases the changes of user pressing the enter key.


  • Command Execution: some terminal emulators could even allow execution of the command directly by using an escape sequence.







share|improve this answer


















  • 2





    +1 for the interesting info, however all examples in the above link make use of echo -e which OP is not using

    – CaffeineAddiction
    8 hours ago






  • 2





    @CaffeineAddiction I don't know that the exploit requires -e to be used, and guess that echoing the binary contents of a file would also echo the special characters too. I'm also not familiar with all versions of echo written for every OS. The author is using the gnu echo, other versions may operate differently and allow the same escaped characters without the -e option.

    – Steve Sether
    8 hours ago






  • 1





    if you re-read the article, every example the author uses makes use of echo -e or printf ... the exploit simply will not work with out it ... echo -e states the following in its man pages enable interpretation of backslash escapes ... so pretty much the whole point of the article

    – CaffeineAddiction
    1 hour ago











  • @CaffeineAddiction: echo sans -e can still echo any arbitrary bytes (except NUL) just by having those bytes passed to it on the command line — say, because those bytes were in an attacker-controlled binary file read into a variable that was then echoed.

    – jwodder
    31 mins ago


















3














No, echo used in the example above is fine



Echo simply prints a string to the pipe stdout (default)



per: https://superuser.com/a/699500/527937




Pipes can't overflow. A pipe is just a buffer (a certain amount of
memory, most likely 64KB on a current system) between a producer and a
consumer. If the producer produces faster than the consumer consumes,
the producer is blocked (that means, the program will sleep) until the
consumer makes room in the buffer again by reading from it.




As a side note, if you have a large ammount of data in 1x line ... cat can hang and/or consume an enormous amount of system memory.






share|improve this answer























  • A DoS was the most likely too. I recall that I once displayed a binary file on my terminal, and when it finally finished, I got lots of command not found errors, which left me wondering if there was a way to abuse it.

    – MechMK1
    9 hours ago











  • these are most likly errors from echo and not bash, eg it encountered a backslash command that is not recognized as an option

    – CaffeineAddiction
    9 hours ago












  • I can't seem to find a way to exploit this either. Too bad, that would have been cool to exploit.

    – MechMK1
    9 hours ago











  • the cat portion could most likly be exploited ... eg echo '"ls' > attackerControlledFile.txt

    – CaffeineAddiction
    9 hours ago











  • Just outputs "ls for me.

    – MechMK1
    8 hours ago


















0














Does



echo "$(cat /etc/shadow)"


or



echo "$(mv test.txt test2.txt)"


Satisfy your requirement?






share|improve this answer


















  • 2





    An attacker can modify the contents in the text file. I thought about command expansion, but as far as I know, command expansion occurs before cat even reads the file. Hence this approach does not work. I edited my question to clarify this.

    – MechMK1
    8 hours ago












  • @MechMK1 I see. I'll explore some more then.

    – DarkMatter
    8 hours ago











  • Sorry if I did not specify my requirements enough at first. I hope things are clear now. Sorry for any wasted effort

    – MechMK1
    8 hours ago











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211419%2fis-using-echo-to-display-attacker-controlled-data-on-the-terminal-dangerous%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









9















Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



This code requires the output to be printed onto a specific terminal emulator




In fact, yes. Old terminals like vt100 have the ability to use ANSI escape sequences to do special things, like execute commands. The following site below documents this ability using a simple echo, like you describe.



https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/



The article is in depth with specific exploit instructions, but the general idea can be summarized from this excerpt from the site:




Dangerous Escape Sequences
Terminal emulators support multiple features as described below [8]:



  • Screen Dumping: a screen dump escape sequence will open arbitrary file and write the current content of the terminal into the file. Some terminal emulators will not write to existing files, but only to new files, while others will simply overwrite the file with the new contents. An attacker might use this feature to create a new backdoor PHP file in the DocumentRoot of the web server, which can later be used to execute arbitrary commands.


  • Window Title: an escape sequence exists for setting the window title, which will change the window title string. This feature can be used together with another escape sequence, which reads the current window title and prints it to the current command line. Since a carriage return character is prohibited in the window title, an attacker can store the command in a window title and print it to the current command line, but it would still require a user to press enter in order to execute it. There are techniques for making the command invisible, like setting the text color to the same color as the background, which increases the changes of user pressing the enter key.


  • Command Execution: some terminal emulators could even allow execution of the command directly by using an escape sequence.







share|improve this answer


















  • 2





    +1 for the interesting info, however all examples in the above link make use of echo -e which OP is not using

    – CaffeineAddiction
    8 hours ago






  • 2





    @CaffeineAddiction I don't know that the exploit requires -e to be used, and guess that echoing the binary contents of a file would also echo the special characters too. I'm also not familiar with all versions of echo written for every OS. The author is using the gnu echo, other versions may operate differently and allow the same escaped characters without the -e option.

    – Steve Sether
    8 hours ago






  • 1





    if you re-read the article, every example the author uses makes use of echo -e or printf ... the exploit simply will not work with out it ... echo -e states the following in its man pages enable interpretation of backslash escapes ... so pretty much the whole point of the article

    – CaffeineAddiction
    1 hour ago











  • @CaffeineAddiction: echo sans -e can still echo any arbitrary bytes (except NUL) just by having those bytes passed to it on the command line — say, because those bytes were in an attacker-controlled binary file read into a variable that was then echoed.

    – jwodder
    31 mins ago















9















Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



This code requires the output to be printed onto a specific terminal emulator




In fact, yes. Old terminals like vt100 have the ability to use ANSI escape sequences to do special things, like execute commands. The following site below documents this ability using a simple echo, like you describe.



https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/



The article is in depth with specific exploit instructions, but the general idea can be summarized from this excerpt from the site:




Dangerous Escape Sequences
Terminal emulators support multiple features as described below [8]:



  • Screen Dumping: a screen dump escape sequence will open arbitrary file and write the current content of the terminal into the file. Some terminal emulators will not write to existing files, but only to new files, while others will simply overwrite the file with the new contents. An attacker might use this feature to create a new backdoor PHP file in the DocumentRoot of the web server, which can later be used to execute arbitrary commands.


  • Window Title: an escape sequence exists for setting the window title, which will change the window title string. This feature can be used together with another escape sequence, which reads the current window title and prints it to the current command line. Since a carriage return character is prohibited in the window title, an attacker can store the command in a window title and print it to the current command line, but it would still require a user to press enter in order to execute it. There are techniques for making the command invisible, like setting the text color to the same color as the background, which increases the changes of user pressing the enter key.


  • Command Execution: some terminal emulators could even allow execution of the command directly by using an escape sequence.







share|improve this answer


















  • 2





    +1 for the interesting info, however all examples in the above link make use of echo -e which OP is not using

    – CaffeineAddiction
    8 hours ago






  • 2





    @CaffeineAddiction I don't know that the exploit requires -e to be used, and guess that echoing the binary contents of a file would also echo the special characters too. I'm also not familiar with all versions of echo written for every OS. The author is using the gnu echo, other versions may operate differently and allow the same escaped characters without the -e option.

    – Steve Sether
    8 hours ago






  • 1





    if you re-read the article, every example the author uses makes use of echo -e or printf ... the exploit simply will not work with out it ... echo -e states the following in its man pages enable interpretation of backslash escapes ... so pretty much the whole point of the article

    – CaffeineAddiction
    1 hour ago











  • @CaffeineAddiction: echo sans -e can still echo any arbitrary bytes (except NUL) just by having those bytes passed to it on the command line — say, because those bytes were in an attacker-controlled binary file read into a variable that was then echoed.

    – jwodder
    31 mins ago













9












9








9








Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



This code requires the output to be printed onto a specific terminal emulator




In fact, yes. Old terminals like vt100 have the ability to use ANSI escape sequences to do special things, like execute commands. The following site below documents this ability using a simple echo, like you describe.



https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/



The article is in depth with specific exploit instructions, but the general idea can be summarized from this excerpt from the site:




Dangerous Escape Sequences
Terminal emulators support multiple features as described below [8]:



  • Screen Dumping: a screen dump escape sequence will open arbitrary file and write the current content of the terminal into the file. Some terminal emulators will not write to existing files, but only to new files, while others will simply overwrite the file with the new contents. An attacker might use this feature to create a new backdoor PHP file in the DocumentRoot of the web server, which can later be used to execute arbitrary commands.


  • Window Title: an escape sequence exists for setting the window title, which will change the window title string. This feature can be used together with another escape sequence, which reads the current window title and prints it to the current command line. Since a carriage return character is prohibited in the window title, an attacker can store the command in a window title and print it to the current command line, but it would still require a user to press enter in order to execute it. There are techniques for making the command invisible, like setting the text color to the same color as the background, which increases the changes of user pressing the enter key.


  • Command Execution: some terminal emulators could even allow execution of the command directly by using an escape sequence.







share|improve this answer














Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:



This code requires the output to be printed onto a specific terminal emulator




In fact, yes. Old terminals like vt100 have the ability to use ANSI escape sequences to do special things, like execute commands. The following site below documents this ability using a simple echo, like you describe.



https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/



The article is in depth with specific exploit instructions, but the general idea can be summarized from this excerpt from the site:




Dangerous Escape Sequences
Terminal emulators support multiple features as described below [8]:



  • Screen Dumping: a screen dump escape sequence will open arbitrary file and write the current content of the terminal into the file. Some terminal emulators will not write to existing files, but only to new files, while others will simply overwrite the file with the new contents. An attacker might use this feature to create a new backdoor PHP file in the DocumentRoot of the web server, which can later be used to execute arbitrary commands.


  • Window Title: an escape sequence exists for setting the window title, which will change the window title string. This feature can be used together with another escape sequence, which reads the current window title and prints it to the current command line. Since a carriage return character is prohibited in the window title, an attacker can store the command in a window title and print it to the current command line, but it would still require a user to press enter in order to execute it. There are techniques for making the command invisible, like setting the text color to the same color as the background, which increases the changes of user pressing the enter key.


  • Command Execution: some terminal emulators could even allow execution of the command directly by using an escape sequence.








share|improve this answer












share|improve this answer



share|improve this answer










answered 8 hours ago









Steve SetherSteve Sether

17.7k63766




17.7k63766







  • 2





    +1 for the interesting info, however all examples in the above link make use of echo -e which OP is not using

    – CaffeineAddiction
    8 hours ago






  • 2





    @CaffeineAddiction I don't know that the exploit requires -e to be used, and guess that echoing the binary contents of a file would also echo the special characters too. I'm also not familiar with all versions of echo written for every OS. The author is using the gnu echo, other versions may operate differently and allow the same escaped characters without the -e option.

    – Steve Sether
    8 hours ago






  • 1





    if you re-read the article, every example the author uses makes use of echo -e or printf ... the exploit simply will not work with out it ... echo -e states the following in its man pages enable interpretation of backslash escapes ... so pretty much the whole point of the article

    – CaffeineAddiction
    1 hour ago











  • @CaffeineAddiction: echo sans -e can still echo any arbitrary bytes (except NUL) just by having those bytes passed to it on the command line — say, because those bytes were in an attacker-controlled binary file read into a variable that was then echoed.

    – jwodder
    31 mins ago












  • 2





    +1 for the interesting info, however all examples in the above link make use of echo -e which OP is not using

    – CaffeineAddiction
    8 hours ago






  • 2





    @CaffeineAddiction I don't know that the exploit requires -e to be used, and guess that echoing the binary contents of a file would also echo the special characters too. I'm also not familiar with all versions of echo written for every OS. The author is using the gnu echo, other versions may operate differently and allow the same escaped characters without the -e option.

    – Steve Sether
    8 hours ago






  • 1





    if you re-read the article, every example the author uses makes use of echo -e or printf ... the exploit simply will not work with out it ... echo -e states the following in its man pages enable interpretation of backslash escapes ... so pretty much the whole point of the article

    – CaffeineAddiction
    1 hour ago











  • @CaffeineAddiction: echo sans -e can still echo any arbitrary bytes (except NUL) just by having those bytes passed to it on the command line — say, because those bytes were in an attacker-controlled binary file read into a variable that was then echoed.

    – jwodder
    31 mins ago







2




2





+1 for the interesting info, however all examples in the above link make use of echo -e which OP is not using

– CaffeineAddiction
8 hours ago





+1 for the interesting info, however all examples in the above link make use of echo -e which OP is not using

– CaffeineAddiction
8 hours ago




2




2





@CaffeineAddiction I don't know that the exploit requires -e to be used, and guess that echoing the binary contents of a file would also echo the special characters too. I'm also not familiar with all versions of echo written for every OS. The author is using the gnu echo, other versions may operate differently and allow the same escaped characters without the -e option.

– Steve Sether
8 hours ago





@CaffeineAddiction I don't know that the exploit requires -e to be used, and guess that echoing the binary contents of a file would also echo the special characters too. I'm also not familiar with all versions of echo written for every OS. The author is using the gnu echo, other versions may operate differently and allow the same escaped characters without the -e option.

– Steve Sether
8 hours ago




1




1





if you re-read the article, every example the author uses makes use of echo -e or printf ... the exploit simply will not work with out it ... echo -e states the following in its man pages enable interpretation of backslash escapes ... so pretty much the whole point of the article

– CaffeineAddiction
1 hour ago





if you re-read the article, every example the author uses makes use of echo -e or printf ... the exploit simply will not work with out it ... echo -e states the following in its man pages enable interpretation of backslash escapes ... so pretty much the whole point of the article

– CaffeineAddiction
1 hour ago













@CaffeineAddiction: echo sans -e can still echo any arbitrary bytes (except NUL) just by having those bytes passed to it on the command line — say, because those bytes were in an attacker-controlled binary file read into a variable that was then echoed.

– jwodder
31 mins ago





@CaffeineAddiction: echo sans -e can still echo any arbitrary bytes (except NUL) just by having those bytes passed to it on the command line — say, because those bytes were in an attacker-controlled binary file read into a variable that was then echoed.

– jwodder
31 mins ago













3














No, echo used in the example above is fine



Echo simply prints a string to the pipe stdout (default)



per: https://superuser.com/a/699500/527937




Pipes can't overflow. A pipe is just a buffer (a certain amount of
memory, most likely 64KB on a current system) between a producer and a
consumer. If the producer produces faster than the consumer consumes,
the producer is blocked (that means, the program will sleep) until the
consumer makes room in the buffer again by reading from it.




As a side note, if you have a large ammount of data in 1x line ... cat can hang and/or consume an enormous amount of system memory.






share|improve this answer























  • A DoS was the most likely too. I recall that I once displayed a binary file on my terminal, and when it finally finished, I got lots of command not found errors, which left me wondering if there was a way to abuse it.

    – MechMK1
    9 hours ago











  • these are most likly errors from echo and not bash, eg it encountered a backslash command that is not recognized as an option

    – CaffeineAddiction
    9 hours ago












  • I can't seem to find a way to exploit this either. Too bad, that would have been cool to exploit.

    – MechMK1
    9 hours ago











  • the cat portion could most likly be exploited ... eg echo '"ls' > attackerControlledFile.txt

    – CaffeineAddiction
    9 hours ago











  • Just outputs "ls for me.

    – MechMK1
    8 hours ago















3














No, echo used in the example above is fine



Echo simply prints a string to the pipe stdout (default)



per: https://superuser.com/a/699500/527937




Pipes can't overflow. A pipe is just a buffer (a certain amount of
memory, most likely 64KB on a current system) between a producer and a
consumer. If the producer produces faster than the consumer consumes,
the producer is blocked (that means, the program will sleep) until the
consumer makes room in the buffer again by reading from it.




As a side note, if you have a large ammount of data in 1x line ... cat can hang and/or consume an enormous amount of system memory.






share|improve this answer























  • A DoS was the most likely too. I recall that I once displayed a binary file on my terminal, and when it finally finished, I got lots of command not found errors, which left me wondering if there was a way to abuse it.

    – MechMK1
    9 hours ago











  • these are most likly errors from echo and not bash, eg it encountered a backslash command that is not recognized as an option

    – CaffeineAddiction
    9 hours ago












  • I can't seem to find a way to exploit this either. Too bad, that would have been cool to exploit.

    – MechMK1
    9 hours ago











  • the cat portion could most likly be exploited ... eg echo '"ls' > attackerControlledFile.txt

    – CaffeineAddiction
    9 hours ago











  • Just outputs "ls for me.

    – MechMK1
    8 hours ago













3












3








3







No, echo used in the example above is fine



Echo simply prints a string to the pipe stdout (default)



per: https://superuser.com/a/699500/527937




Pipes can't overflow. A pipe is just a buffer (a certain amount of
memory, most likely 64KB on a current system) between a producer and a
consumer. If the producer produces faster than the consumer consumes,
the producer is blocked (that means, the program will sleep) until the
consumer makes room in the buffer again by reading from it.




As a side note, if you have a large ammount of data in 1x line ... cat can hang and/or consume an enormous amount of system memory.






share|improve this answer













No, echo used in the example above is fine



Echo simply prints a string to the pipe stdout (default)



per: https://superuser.com/a/699500/527937




Pipes can't overflow. A pipe is just a buffer (a certain amount of
memory, most likely 64KB on a current system) between a producer and a
consumer. If the producer produces faster than the consumer consumes,
the producer is blocked (that means, the program will sleep) until the
consumer makes room in the buffer again by reading from it.




As a side note, if you have a large ammount of data in 1x line ... cat can hang and/or consume an enormous amount of system memory.







share|improve this answer












share|improve this answer



share|improve this answer










answered 9 hours ago









CaffeineAddictionCaffeineAddiction

5,82121235




5,82121235












  • A DoS was the most likely too. I recall that I once displayed a binary file on my terminal, and when it finally finished, I got lots of command not found errors, which left me wondering if there was a way to abuse it.

    – MechMK1
    9 hours ago











  • these are most likly errors from echo and not bash, eg it encountered a backslash command that is not recognized as an option

    – CaffeineAddiction
    9 hours ago












  • I can't seem to find a way to exploit this either. Too bad, that would have been cool to exploit.

    – MechMK1
    9 hours ago











  • the cat portion could most likly be exploited ... eg echo '"ls' > attackerControlledFile.txt

    – CaffeineAddiction
    9 hours ago











  • Just outputs "ls for me.

    – MechMK1
    8 hours ago

















  • A DoS was the most likely too. I recall that I once displayed a binary file on my terminal, and when it finally finished, I got lots of command not found errors, which left me wondering if there was a way to abuse it.

    – MechMK1
    9 hours ago











  • these are most likly errors from echo and not bash, eg it encountered a backslash command that is not recognized as an option

    – CaffeineAddiction
    9 hours ago












  • I can't seem to find a way to exploit this either. Too bad, that would have been cool to exploit.

    – MechMK1
    9 hours ago











  • the cat portion could most likly be exploited ... eg echo '"ls' > attackerControlledFile.txt

    – CaffeineAddiction
    9 hours ago











  • Just outputs "ls for me.

    – MechMK1
    8 hours ago
















A DoS was the most likely too. I recall that I once displayed a binary file on my terminal, and when it finally finished, I got lots of command not found errors, which left me wondering if there was a way to abuse it.

– MechMK1
9 hours ago





A DoS was the most likely too. I recall that I once displayed a binary file on my terminal, and when it finally finished, I got lots of command not found errors, which left me wondering if there was a way to abuse it.

– MechMK1
9 hours ago













these are most likly errors from echo and not bash, eg it encountered a backslash command that is not recognized as an option

– CaffeineAddiction
9 hours ago






these are most likly errors from echo and not bash, eg it encountered a backslash command that is not recognized as an option

– CaffeineAddiction
9 hours ago














I can't seem to find a way to exploit this either. Too bad, that would have been cool to exploit.

– MechMK1
9 hours ago





I can't seem to find a way to exploit this either. Too bad, that would have been cool to exploit.

– MechMK1
9 hours ago













the cat portion could most likly be exploited ... eg echo '"ls' > attackerControlledFile.txt

– CaffeineAddiction
9 hours ago





the cat portion could most likly be exploited ... eg echo '"ls' > attackerControlledFile.txt

– CaffeineAddiction
9 hours ago













Just outputs "ls for me.

– MechMK1
8 hours ago





Just outputs "ls for me.

– MechMK1
8 hours ago











0














Does



echo "$(cat /etc/shadow)"


or



echo "$(mv test.txt test2.txt)"


Satisfy your requirement?






share|improve this answer


















  • 2





    An attacker can modify the contents in the text file. I thought about command expansion, but as far as I know, command expansion occurs before cat even reads the file. Hence this approach does not work. I edited my question to clarify this.

    – MechMK1
    8 hours ago












  • @MechMK1 I see. I'll explore some more then.

    – DarkMatter
    8 hours ago











  • Sorry if I did not specify my requirements enough at first. I hope things are clear now. Sorry for any wasted effort

    – MechMK1
    8 hours ago















0














Does



echo "$(cat /etc/shadow)"


or



echo "$(mv test.txt test2.txt)"


Satisfy your requirement?






share|improve this answer


















  • 2





    An attacker can modify the contents in the text file. I thought about command expansion, but as far as I know, command expansion occurs before cat even reads the file. Hence this approach does not work. I edited my question to clarify this.

    – MechMK1
    8 hours ago












  • @MechMK1 I see. I'll explore some more then.

    – DarkMatter
    8 hours ago











  • Sorry if I did not specify my requirements enough at first. I hope things are clear now. Sorry for any wasted effort

    – MechMK1
    8 hours ago













0












0








0







Does



echo "$(cat /etc/shadow)"


or



echo "$(mv test.txt test2.txt)"


Satisfy your requirement?






share|improve this answer













Does



echo "$(cat /etc/shadow)"


or



echo "$(mv test.txt test2.txt)"


Satisfy your requirement?







share|improve this answer












share|improve this answer



share|improve this answer










answered 8 hours ago









DarkMatterDarkMatter

2,4211121




2,4211121







  • 2





    An attacker can modify the contents in the text file. I thought about command expansion, but as far as I know, command expansion occurs before cat even reads the file. Hence this approach does not work. I edited my question to clarify this.

    – MechMK1
    8 hours ago












  • @MechMK1 I see. I'll explore some more then.

    – DarkMatter
    8 hours ago











  • Sorry if I did not specify my requirements enough at first. I hope things are clear now. Sorry for any wasted effort

    – MechMK1
    8 hours ago












  • 2





    An attacker can modify the contents in the text file. I thought about command expansion, but as far as I know, command expansion occurs before cat even reads the file. Hence this approach does not work. I edited my question to clarify this.

    – MechMK1
    8 hours ago












  • @MechMK1 I see. I'll explore some more then.

    – DarkMatter
    8 hours ago











  • Sorry if I did not specify my requirements enough at first. I hope things are clear now. Sorry for any wasted effort

    – MechMK1
    8 hours ago







2




2





An attacker can modify the contents in the text file. I thought about command expansion, but as far as I know, command expansion occurs before cat even reads the file. Hence this approach does not work. I edited my question to clarify this.

– MechMK1
8 hours ago






An attacker can modify the contents in the text file. I thought about command expansion, but as far as I know, command expansion occurs before cat even reads the file. Hence this approach does not work. I edited my question to clarify this.

– MechMK1
8 hours ago














@MechMK1 I see. I'll explore some more then.

– DarkMatter
8 hours ago





@MechMK1 I see. I'll explore some more then.

– DarkMatter
8 hours ago













Sorry if I did not specify my requirements enough at first. I hope things are clear now. Sorry for any wasted effort

– MechMK1
8 hours ago





Sorry if I did not specify my requirements enough at first. I hope things are clear now. Sorry for any wasted effort

– MechMK1
8 hours ago

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211419%2fis-using-echo-to-display-attacker-controlled-data-on-the-terminal-dangerous%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Image
Would it be easier to colonise a living world or a dead world? Postal services in Italy - Poste Italiane vs. Friendpost vs. GPS What is /dev/null and why can't I use hx on it? Why are engines with carburetors hard to start in cold weather? How to make a gift without seeming creepy? Without exposing his identity, did Roy help his parents with money so that they can afford to stay in their home? Does the Creighton Method of Natural Family Planning have a failure rate of 3.2% or less? How do I break the broom in Untitled Goose Game? Had there been instances of national states banning harmful imports before the mid-19th C Opium Wars? D&D Monsters and Copyright Is sleeping on the groud in cold weather better than on an air mattress? Transiting through Switzerland by coach with lots of cash quadratic equations on 2 by 2 matrices Always Lubricate Skewers? I pay for a service, but I miss the broadcast Iron-age tools, is there a way to extract heavy metals ...
Read more

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

Image
Internet forum softwarePHP software Internet communityPHPMySQLdatabase management systemInternet forumCharles WarnerMatt MechamJarvis Entertainment GroupIkonboardInvisionFreeAjaxIPS Community ForumsIPS Community Forumsthis blog entry Invision Community From Wikipedia, the free encyclopedia Jump to navigation Jump to search Invision Community Developer(s) Invision Power Services Stable release 4.4.6 / August 19, 2019 ; 34 days ago  ( 2019-08-19 ) Platform PHP / MySQL Type Forum software License Proprietary Website invisioncommunity.com Invision Community (previously known as IPS Community Suite ) is primarily an Internet community software produced by Invision Power Services, Inc. It is written in PHP and uses MySQL as a database management system. Invision Power Services sell applications that each can be bought and installed separately in addition to the Suite, the most widely known being the Internet forum software Invision Power Boar...
Read more

François Viète Contents Biography Work and thought Bibliography See also Notes Further reading External links Navigation menup. 21Google Bookspp. 75–77Google BooksDe thou (from University of Saint Andrews)ArchivedGoogle BooksGoogle BooksGoogle BooksGoogle booksGoogle Bookscc-parthenay.frL'histoire universelle (fr)Universal History (en)ArchivedAdsabs.harvard.eduPagesperso-orange.frArchive.orgChikara Sasaki. Descartes' mathematical thought p.259Google BooksGoogle BooksGoogle Bookspp. 152 and onwardGoogle BooksGoogle BooksScribd.comGoogle Books1257-7979Google BooksGoogle BooksGoogle BooksGoogle BooksGoogle BooksGoogle BooksGallica.bnf.frGoogle BooksGoogle Books"François Viète"Francois Viète: Father of Modern Algebraic NotationThe Lawyer and the GamblerAbout TarporleySite de Jean-Paul GuichardL'algèbre nouvelle"About the Harmonicon"cb120511976(data)1188044800000 0001 0913 5903n82164680ola2013766880073431702w6vt1sb70287374827140948071409480

Image
1540 births1603 deathsPeople from Fontenay-le-ComtePre-19th-century cryptographers16th-century French mathematiciansAlgebraistsFrench cryptographersUniversity of Poitiers alumni LatinSeigneurFrenchmathematicianprivy councillorHenry IIIHenry IVFontenay-le-ComteVendéeLa RochelleLe BusseauBarnabé BrissonmagistrateCatholic League of France.FranciscanPoitiersBachelor of LawsKing Francis I of FranceMary, Queen of ScotsHuguenotLyonJacques of Savoy, 2nd Duke of NemoursMouchampsVendéeCatherine de ParthenayastronomytrigonometryStevinKeplerGiordano BrunoCharles IX of FranceParthenayColignyCondéQueen Jeanne d’Albret of NavarreHenry IV of FranceJacques de ThouSt. Bartholomew's Day massacreAdmiral ColignyJacques, Duke of NemoursParliament of BrittanyRennesHenri, duc de Rohanmaître des requêtesHenry of NavarreHenry III of FranceFontenayBeauvoir-sur-MerNew AlgebraJoseph Juste ScaligerToursSpanishcipherWars of ReligionAloysius LiliusChristopher ClaviusAdriaan van Room...
Read more