Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ames!ncar!tank!uwvax!uwslh!jiml
From: jiml@uwslh.UUCP (James E. Leinweber)
Newsgroups: comp.unix.questions
Subject: Re: Help on control keys
Message-ID: <410@uwslh.UUCP>
Date: 2 Jan 89 17:07:25 GMT
Organization: U of Wisconsin-Madison, State Hygiene Lab
Lines: 33

In <9259@smoke.BRL.MIL> Doug Gwyn writes:
> A few terminals DO have a feature that can be exploited to
> accomplish host command execution indirectly, namely "programmable
> function keys" combined with "transmit the contents of designated
> function key".  That is a HORRIBLE security flaw and you should
> avoid buying such terminals ...

There are a few of us out here that buy such terminals because we use
them for "block mode" data entry, in which a screen full of
information layed out in protected and editable fields is modified
locally at the terminal and then transmitted as one big lump to the
host computer.  Don't try it using standard Unix character at at time
line disciplines (BSD & pre- V.3), though.  We manage to support over
30 users on a lowly Vax 11/750 this way.

Doug is quite right about the ease of exploiting such features for a
trojan horse attack.  I know of at least one instance at the
UW-Madison where such a terminal was used to forge some e-mail as part
of a security project demonstration.  Block mode terminals are more
common in mainframe, non-Unix environments (such as IBM's MVS) where
this sort of attack has been known for a long time (under names like
"the terminal loopback bug").  At least under 4.3 BSD, tty devices
aren't publicly writtable, so that the victim has to cooperate to be
attacked, rather than merely being logged in, which sufficed under
stock 4.2 systems.

Me, I always use "cat -v" :-) Beware of letter bombs on "intelligent"
terminals too; most existing mailers are quite naive about passing
escape sequences through.
-- 
Jim Leinweber		jiml@uwslh.uucp		jiml%uwslh.uucp@cs.wisc.edu
 ...!{rutgers, ucbvax ...}!uwvax!uwslh!jiml
State Laboratory of Hygiene @ Univ. of Wisconsin - Madison; (608) 262-0736