Loading…
Friday, April 27 • 11:15 - 12:00
The Story of Escape Sequence Vulnerabilities

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Escape sequences (or control sequences) are sets of characters that change the behavior of the terminal and allow interacting with it. Basic escape sequences are frequently used for formatting output, e.g. for changing text color. Some sequences served purposes in physical terminals but remained in use with modern terminal emulators.

Historically, there were many dangerous and easy ways to exploit popular terminals by abusing escape sequences. Some of these techniques relied on sequences that are now obsolete. Weaknesses relating to escape sequences are still being found to this day in modern terminals.

In my talk I will explore related past vulnerabilities and recent ones. I will examine vulnerabilities where terminal programs failed to sanitize bad content, and bring examples for how they may have been exploited.

I plan to discuss my own research in finding such vulnerabilities, including the details of my work on Busybox that led to CVE-2017-16544. Finally, I'll do a short demonstration on how attackers can hide malicious code from developers using git, with only a simple escape sequence.
--
Busybox research details:
https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2017-16544

Hiding content from git:
https://www.twistlock.com/2017/12/13/hiding-content-git-escape-sequence-twistlock-labs-experiment/

Speakers
avatar for Ariel Zelivansky

Ariel Zelivansky

Security Research Team Lead, Twistlock
Ariel Zelivansky leads the security research team at Twistlock, where his team deals with hacking and securing anything related to containers, serverless and cloud native infrastructure. Ariel is responsible for the disclosure of many security issues in cloud components such as Alpine... Read More →


Friday April 27, 2018 11:15 - 12:00
Track 2 - Room A1