Help on control keys

James E. Leinweber jiml at uwslh.UUCP
Tue Jan 3 03:07:25 AEST 1989


In <9259 at smoke.BRL.MIL> Doug Gwyn writes:
> A few terminals DO have a feature that can be exploited to
> accomplish host command execution indirectly, namely "programmable
> function keys" combined with "transmit the contents of designated
> function key".  That is a HORRIBLE security flaw and you should
> avoid buying such terminals ...

There are a few of us out here that buy such terminals because we use
them for "block mode" data entry, in which a screen full of
information layed out in protected and editable fields is modified
locally at the terminal and then transmitted as one big lump to the
host computer.  Don't try it using standard Unix character at at time
line disciplines (BSD & pre- V.3), though.  We manage to support over
30 users on a lowly Vax 11/750 this way.

Doug is quite right about the ease of exploiting such features for a
trojan horse attack.  I know of at least one instance at the
UW-Madison where such a terminal was used to forge some e-mail as part
of a security project demonstration.  Block mode terminals are more
common in mainframe, non-Unix environments (such as IBM's MVS) where
this sort of attack has been known for a long time (under names like
"the terminal loopback bug").  At least under 4.3 BSD, tty devices
aren't publicly writtable, so that the victim has to cooperate to be
attacked, rather than merely being logged in, which sufficed under
stock 4.2 systems.

Me, I always use "cat -v" :-) Beware of letter bombs on "intelligent"
terminals too; most existing mailers are quite naive about passing
escape sequences through.
-- 
Jim Leinweber		jiml at uwslh.uucp		jiml%uwslh.uucp at cs.wisc.edu
 ...!{rutgers, ucbvax ...}!uwvax!uwslh!jiml
State Laboratory of Hygiene @ Univ. of Wisconsin - Madison; (608) 262-0736



More information about the Comp.unix.questions mailing list