From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit 2.4.4 released
Date: Fri, 14 Aug 2015 13:04:17 -0400
Message-ID: <11162124.eJVPhOCAb9@x2>
References: <1485640.eHOhO3r53z@x2> <55CE17C0.9000307@magitekltd.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <55CE17C0.9000307@magitekltd.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, August 14, 2015 09:30:56 AM LC Bruzenak wrote:
> On 08/13/2015 02:30 PM, Steve Grubb wrote:
> > ...
> > 
> > If you ausearch -i on that file, your screen will get underlines with all
> > the text. An attacker could change this to be worse than just underlining
> > your text. They could try to write to the window title and then bounce
> > that back in black on black text to the command prompt hoping the admin
> > will press enter.
>
> Wow; that's something unexpected. Thanks for this extra info Steve; I
> may need to backport to my version.
> Are these changes isolated to the ausearch/aureport code sets or inside
> libs?

Well, that's where it gets complicated. Ausearch was converted to use auparse 
for interpretations a while back. So, I had to patch the whole mess. Any 
utility that uses auparse can also unwittingly pass along terminal escape 
sequences through the interpret function.

So, what I did in auparse is to create a new function: 
auparse_set_escape_mode. It takes one argument which can be any of:

AUPARSE_ESC_RAW - do nothing. Just passes control characters and all.

AUPARSE_ESC_TTY - escape control characters by turning them to octal. This is 
the same thing syslog does. This is the default.

AUPARSE_ESC_SHELL - escape control characters and any of these "'`$\ by 
prepending a \ to the character

AUPARSE_ESC_SHELL_QUOTE - escape control characters and any of these ;'"`#$&*?
[]<>{}\ by prepending a \ to the character.

Once this is set, every  output from auparse is escaped. This will allow 
ausearch/report to shell escape output in a future release. Additionally, it 
was found you could inject control characters by the auditctl command. It now 
prevents that.

So, the patch is rather large and ugly:
https://fedorahosted.org/audit/changeset/1122

You have to be on a susceptible terminal emulator to have any real problems. 
Its for this reason the Security Response Team rates this as low. But in terms 
of audit, you don't want a file path to suddenly change to black on black text 
so that you can't see the full path.

-Steve