
CVE-2017-16544: A Busybox autocompletion vulnerability - zelivans
https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
======
flipp3r
I find these type of vulnerabilities very interesting.

I've also seen a sysop once using curl or wget in such a way that it would
print out the response, while checking for an image file; it outputted all
kinds of special characters. Then, afer some magic character was printed,
their terminal would start interpreting the rest of the output as commands.
The commands were gibberish, nothing happened, but very dangerous nonetheless.

~~~
TheDong
> Then, afer some magic character was printed, their terminal would start
> interpreting the rest of the output as commands. The commands were
> gibberish, nothing happened, but very dangerous nonetheless.

By commands, you probably mean "escape sequences", which are not the same as
running executables and isn't very dangerous.

If a terminal actually executed commands based on data printed to stdout, that
would be a very significant vulnerability. It seems far more likely that the
gibberish you're talking about is the usual mess of escape sequences.

~~~
wolfgang42
_> "escape sequences", which are not the same as running executables and isn't
very dangerous._

Unless your terminal has support for something like setting the answerback
string, in which case the escape sequence could set it and then send an ENQ
immediately before ending, causing the answerback to be typed into a shell
prompt and executed. (Escape sequences aren't always as innocent as you might
expect.) I don't know if any modern terminal emulators support this, but I
believe it's been a vector in the past.

Edit: The article mentions some alternative vectors, specifically the screen
dumping escape sequence (potentially allowing overwriting arbitrary files) and
window title reporting (which behaves similarly to the answerback exploit I
mention above), and links to [1] which gives more details on such exploits.

[1]: [https://www.proteansec.com/linux/blast-past-executing-
code-t...](https://www.proteansec.com/linux/blast-past-executing-code-
terminal-emulators-via-escape-sequences/#exploitation)

------
zaarn
This is quite ungood considering how many devices (read: routers, IoT) have
busybox (or some zombie-like corpse of it) installed on them.

~~~
zelivans
Hi, I'm the author of the article. To stress your point, there really are so
many embedded devices using Busybox, and most of them were never designed to
be updated (or nobody cares enough to update them).

Also I never got to fuzzing networking applets (wget is the most obvious) but
this is definitely something I plan to look into, if no one did that before,
there are definitely vulnerabilities there too.

~~~
ericfrederich
When you ssh to your device are you not running Busybox shell on the device? I
don't understand why this is less of a problem?

~~~
zelivans
Yes absolutely. Whew. Updated my comment accordingly, thanks.

