Return to Revisions

Yes.

As you seem to be using a modern terminal emulator, some escape sequences could be used to modify Keyboard buffer.

There could be proper shell commands injected.

You could use argument -e of cat for safe operation, see man cat.

 -e equivalent to -vE -E, --show-ends display $ at end of each line -v, --show-nonprinting use ^ and M- notation, except for LFD and TAB 

Addendum

In fact, it was possible, but in a very old past... As this became an issue, these kinds of features was quickly removed, but...

When you read command not found, this implies that something was effectively injected.

The main injection feature that was not removed is the sequence indentify yourself, used in many VT-100 encapsulation.

This sequence is Escape Z which will inject the string 1;2c into your keyboard buffer, which means VT-100 (in AVO convention).

Speaking about cat, you could try:

cat <<< $'\033Z' 

and on next line prompted, you will see 1;2c (or maybe with another numbers, depending on terminal used) as if you hitted them.

... and

cat -e <<< $'\033Z' ^[Z$ 

Where -e => -vE, -v transform \033 into ^[ and -E put a $ sign at end of line (and nothing will be put on next line, you keyboard buffer is not affected).

You may find lot of funny things at VT100 User Guide (like: cat <<< $'\033#8' ;)

(They was modern terminal! In some past... )

Trying using bash

There is a little bash command for flushing keyboard buffer and get his content:

cat <<<$'\033Z';buf='';while read -t .1 -n 1 chr;do buf+="$chr";done;printf "\n>|%q|<\n" $buf ^[[?1;2c >|$'\E[?1;2c'|< 

And a little function to test any chain:

trySeq() { printf -v out "$1" echo -n "$out" buf="" while read -t.001 -n1 char do buf+="$char" done [ "$buf" ] && printf "\r|%q|->|%q|<\e[K\n" "$out" "$buf" } 

So I could try:

for i in {0..255};do trySeq "\e[${i}n";done |$'\E[5n'|->|$'\E[0n'|< |$'\E[6n'|->|$'\E[21;1R'|< 

And now?

From there, unfortunately, there is no standard.

Every virtual terminal implementation could support full ANSI and/or full DEC standard...

But as there are some security issues, many don't...

You could observe some behaviour using one terminal that you wouldn't observe using another...

xterm, linux console, gnome-terminal, konsole, fbterm, Terminal (Mac OS)... the list of terminal emulators is not so short!

And each of them has its own bugs and limitations compared to DEC and ANSI standards.

In pactice, you may find some virtual console that could be more featured than other and where keyboard injection could break your security.

It's one of the reasons because I prefer to use alway same (old) xterm rather than other more featured tools.