Revision 79ff1a2c-4335-4f4d-935f-f414165324a6 - Information Security Stack Exchange

# Yes.

### New add 2020-01-25:

From time I've switched from *`LATIN-1`* encoding to *`UTF-8`* as *default encoding* in most of my systems, I've found some interresting *features* around this ([there are now two lenght for one string][1])...

For sample, as I like to *play with [tag:bash]*, I've asked [why bash localization won't work with multilines strings][2]. This bash feature
present a bug, where workaround consist of using `eval`. If this is not
a *security flaw*, this could become or produce one... 

In every evolutions of almost anything (languages, libraries, tools, protocols, applications, hardware, installers, consoles, etc...)
comme new features, with potentially new bugs...

Fortunately, they are as few as they are quickly corrected (near *one-day* from reveal), but they are!

So definitively yes, be care!

### Correct use of `cat` command.

As you seem to be using a modern *[terminal emulator][3]*, some *escape sequences* could be used to modify *[Keyboard buffer][4]*.

There could be proper shell commands injected.

You could use argument `-e` of `cat` for safe operation, see `man cat`.

> -e equivalent to -vE
>
> -E, --show-ends
> display $ at end of each line
>
> -v, --show-nonprinting
> use ^ and M- notation, except for LFD and TAB

Then

 cat -e suspectfile.raw
 cat -e suspectfile.raw | less

or under [tag:bash]:

 less < <(cat -e suspectfile.raw)

or even

 which less cat
 /usr/bin/less
 /bin/cat
 rawless() { /usr/bin/less < <(/bin/cat -e "$@");}

### Addendum

<s>In fact, it **was possible**, in past... As this became an issue, these kinds of features was quickly *removed*,</s> but...

When you read `command not found`, this implies that something was effectively injected.

The main *injection* feature that was **not** removed is the sequence *indentify yourself*, used in many VT-100 encapsulation.

This sequence is `Escape Z` which will *inject* the string `1;2c` into your keyboard buffer, which means `VT-100` (in AVO convention).

Speaking about `cat`, you could try:

 cat <<< $'\033Z'

and on next line prompted, you will see `1;2c` (or maybe with another numbers, depending on terminal used) as if **you** hitted them.

... and


 cat -e <<< $'\033Z'
 ^[Z$

Where `-e => -vE`, `-v` transform *`\033`* into *`^[`* and `-E` put a *`$`* sign at end of line (and nothing will be put on next line, you *keyboard buffer* is not affected).

You may find lot of funny things at [VT100 User Guide][5] (like: `cat <<< $'\033#8'` ;) 

(They was *modern terminal*! In some past... )


### Trying using [tag:bash]

There is a little bash command for flushing keyboard buffer and get his content:

 cat <<<$'\033Z';buf='';while read -t .1 -n 1 chr;do buf+="$chr";done;printf "\n>|%q|<\n" $buf

 ^[[?1;2c
 >|$'\E[?1;2c'|<

And a little function to test any chain:

 trySeq() {
 printf -v out "$1"
 echo -n "$out"
 buf=""
 while read -t.001 -n1 char
 do buf+="$char"
 done
 [ "$buf" ] && printf "\r|%q|->|%q|<\e[K\n" "$out" "$buf"
 }


So I could try:

 for i in {0..255};do trySeq "\e[${i}n";done
 |$'\E[5n'|->|$'\E[0n'|<
 |$'\E[6n'|->|$'\E[21;1R'|<


### And now?

From there, unfortunately, there is no *standard*.

Every *virtual terminal* implementation could support full ANSI and/or full DEC standard...

But as there are some security issues, many don't...

You could observe some behaviour using one terminal that you wouldn't observe using another...

*xterm, linux console, gnome-terminal, konsole, fbterm, Terminal (Mac OS)...*
the [list of terminal emulators][6] is not so short!

And each of them has its own bugs and limitations compared to DEC and ANSI standards.

In pactice, you may find some virtual console that could be more *featured* than other and where *keyboard injection* could break your security.

It's one of the reasons because I prefer to use alway same (old) `xterm` rather than other more featured tools.


 [1]: https://stackoverflow.com/a/31009961/1765658
 [2]: https://stackoverflow.com/q/14027030/1765658
 [3]: http://en.wikipedia.org/wiki/Terminal_emulator
 [4]: http://en.wikipedia.org/wiki/Keyboard_buffer
 [5]: http://vt100.net/docs/vt100-ug/chapter3.html
 [6]: http://en.wikipedia.org/wiki/List_of_terminal_emulators