DEF CON 31 - Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare - STÖK
Вставка
- Опубліковано 27 вер 2024
- Logs are a vital component for maintaining application reliability, performance, and security. They serve as a source of information for developers, security teams, and other stakeholders to understand what has happened or gone wrong within an application. However, logs can also be used to compromise the security of an application by injecting malicious content.
In this presentation, we will explore how ANSI escape sequences can be used to inject, vandalize, and even weaponize log files of modern applications. We will revisit old terminal injection research and log tampering techniques from the 80-90s. Combine them with new features, to create chaos and mischief in the modern cloud cli’s, mobile, and feature-rich DevOps terminal emulators of today.
We will then provide solutions on how to avoid passing on malicious escape sequences into our log files. By doing so, we can ensure that we can trust the data inside our logs, making it safe for operators to use shells to audit files. Enabling responders to quickly and accurately investigate incidents without wasting time cleaning, or having to gather additional data, while reconstructing events.
Welcome to this "not so black and white," but rather quite colorful ANSI adventure, and learn how to cause, or prevent a forensic nightmare.
He's an amazing presenter .. and a gem for the community.. great job Stök ❤
I can’t even start to express how much this comment means to me, it haven’t been a easy path, that’s a fact, so thank you for noticing all the hard work and the love I have for our community.
@STOKfredrik you actually inspired me to move into cyber security ..I always had a love for it but saw it as a hobby .. but your video about hacking a hardened target (I think some sort of http smuggling I can't remember exactly ) really rustled my jimmies and convinced me to push on even though it's difficult. I hope that one day I can buy you a beer 🍺 and say thanks
Stönks
@@STOKfredrik14:50 "so even though I was like Fuk Yeah! ..confirmed!"
You're a legend, sir!
I've never been so nervous to go look at logs.....
Mission accomplished, see it as security awareness training :)
This is hands down one of the best talks I've ever heard. Good job Stök!
Thanks, happy you liked it!
@@STOKfredrik omg you replied, yay!!
This is something I highlighted in a comment thread at ISC some years back, I think Johannes wrote a follow-up post about it.
Back in the day, ins MS-DOS, you could print an ANSI sequence that would actually redefine what the keys did. So if you pressed space, you'd get "del c:\dos\*" for example ..
That is sometimes called "ANSI Bombs", I mentioned it in my talk: ua-cam.com/video/Y4A7KMQEmfo/v-deo.html
I remembered that. It was one of those “coolest thing ever that nobody around you can understand the coolness of” moments, when I discovered that as a teenager playing with the really obscure parts of DOS.
nice talk :D Remember that the middle of a dark LAN party with few 100 people playing CS 1.5 or was it CS 1.6 when you sent "net send" you could target all machines locally. Maan those nerds got a suntan when all machines in sync switched focus from their game and was forced into Windows! displaying the net send command :D
Super fun talk. Very slick!
Back i the day you could encode vbScripts (probably because you had secrets in there). Someone made a vbScript decoder. I used to stuff my vbScritps with commented out ASCII DEL characters. After decryption you get an empty file. jättekul!!
Hilarious! Mischief 101
Fun and interesting talk. I discovered an angle on this many years ago on IRC. UTF-8 sequences can contain certain valid control codes in the 2nd byte and onwards, allowing you to "smuggle" them past sanitization when configuration of things doesn't line up. For example, some users' IRC clients would receive and interpret the byte sequences as UTF-8 but their terminal would honor the control codes. \x9B from the C1 control codes worked as a CSI when I played with it, and can be the second byte of a valid UTF-8 character.
Thanks for the amazing shout-out for dgl -- we think he's amazing, too :D
He is! If it wasn’t for dgl my research wouldn’t have evolved into what it is today.
Very glad this was put on youtube! I've been telling people about this talk since I walked out of it, and now I can send people the video
i teared up laughing at the billion peace signs part. you’re the man! keep pushing, love from Canada
nice talk.. i dont knowe so much about ANSI security but did get a lot wiser. thank you very much 4 all time you put in. so easy when you explain it.
This was such an entertaining presentation. Had a good time watching it. Very well done.
Thanks! Happy you liked it!
Jesus Christ Stok you guys have changed the game entirely, way to go!
Good times, but I’m standing on the shoulders of giants, just viewing it in another perspective with a malicious mindset.
Well done. This talk could use a followup with more nuts-and-bolts detail. I got heavily into all this over twenty years ago because of the explosion of abuse/attacks taking place back then, with a lot of it including or relying upon ANSI escape codes in multiple formats. It wasn't just terminals getting owned and logs getting edited, overwritten, and otherwise abused - it was full-spectrum abuse in browsers, apps, whatever. The issues with ANSI/Unicode abuse are not at all limited to escape sequences. It gets, of course, much worse. But the escape sequences in terminals (or relying on terminals) can do an enormous amount and there is readily available documentation on the general proper usage of these codes. And there are also documented accounts of past abuses, as this video discusses. So this subject captures a core set of built-in abuse vectors that to back to the dawn of computing. This core gets to the core of a big part of why computer networks remain fundamentally indefensible: American-institution stewardship of of computing standards, where those institutions trace back to secrecy-obsessed, transparency-averse, Cold-War agencies tasked with what we euphemistically call intelligence and defense.
That last bit (which I include just to emphasize the importance of the topic, taken in general terms) gets too far ahead, however, of what I have in mind. What people could use now, it seems - smart or otherwise - would be a detail-focused companion presentation to this brilliant, decades-spanning introduction by Stök.
7:21 fun fact, there is an xterm OSC escape sequence reserved for emacs shell
This guy is super compelling! Really fun presentation
Thanks, happy you liked it !
We all need more attitudes like Stök on our teams.
❤✌️
Loved this! Stök always impresses!
Great talk!
This guy and his videos got me into infosec. So glad to see my boy at DefCon!
nice to see stok presenting in defcon 🔥
i was in a AIX troubleshooting class in ~2005 and the trainer warned us about ever, every opening log files for network services without cleansing them first (and not as root, duh). i try to still stick by that, and any security issue in strings/file or ox or regex libs triggers horrible paranoia. regex especially with mod_security being a massive regex target.
11:00 "Is this even a security issue?"
This is the long, long shadow of Master Mode and "Old = New(new)" is absolutely spot on, in this case. History repeats not because people don't know history but because they do.
Yes and No. This is just another view of failing to follow best practices. Too many things will use user input without validation or sanity. For example, whatever you type in at the login prompt will blindly be logged by "login" -- "Unknown user: [unsanitized user input]" If you ever allow that log message to be sent to any terminal without any filtering, you have a _potential_ problem. It's been the same _potential_ problem since escape sequences were invented. We've only made them *worse* over the years.
@@jfbeam any programmer who fails to filter any data field in their software isn't competent to work in the industry.
@@Mercurio-Morat-Goes-Bughunting I can't disagree. Most programmers *shouldn't be.*
Great presentation, you are a fun crazy man!
Kind regards.
Mrs. Ragone
That's pure gold
Hay stock I know u are going through a lot mantlly
I really hope u ll get well soon
And u come back soon
May the karma be with u
The best professor
The smartest Dudeson
Woke me up... 😂. Excellent presentation and wired dude. 👍👍
Thanks for the talk, very passionate :)
You are welcome!
This guy had me in the first 60 seconds
Wow, he got video and audio to work live first try!
Thor After Love and Thunder. 🔥
Amazing talk!!
Thanks, happy you liked it
This dude is awesome.
Thanks
Wow, I didn't know Macaulay Culkin was big into ANSI escape sequences!
Hey, it's 98 again.
I remember my takeaway from back then was to use less instead of more
ansi escape codes turing complete? :)
Don’t fully understand, but it’s a very interesting area and things definitely are happing in this space,
His accent makes it impossible.
I'll read the transcript, Thor.
the G.O.A.T
8:00 Since editors nowadays (and their syntax highlighting) don't really like brackets that aren't closed, I tend to use "\033\133" instead of "\e[".
I majorly use ANSI mode when editing images in Notepad++ it just makes it more visually enjoyable to work with. Opening up jpg, png or avif code can look pretty crazy in utf-8 xthis xthat...lol😂
I had a friend back in the early to mid 1990's tell another friend of mine he put an ansi bomb into a video memory of a BBS me and him had a good laugh but my other friend ended up called the bbs provider and tell them that he had done this and they ended up shutting down the POP dial IN number for a week
4:45 this is gonna be good. what about all that alexa stuff with this. sounds dangerous edit:sp
6:52 did that apostrophe get injected there via a rogue ANSI escape sequence?
All your log are belong to us
Indeed
Too much bells and whistles
Ding!
Couple years back I tried to reach out to bro to collab on some bounties and he jus ignored me lol
I'm disappointed how the audience was silent when he said you could print stuff
.. hahaha the audience must not be programmers 🤣🤣🤣
STÖK i decrypt your msg at 2:20 on that alaram clock
😂💪
This pseudohuman thing is a great demonstration of why drugs are bad for you.
If in doubt, add moar..
This is probably one of the best presentation, if not the best, I ever saw, for any content, ever
Mind blown, thanks, seriously thanks!
this was truly amazing talk! love stoks work for many years now but he always has a fantastic way of conveying his knowledge so detailed but in a digestible way! thanks you!
Wow that’s amazing to hear, mission accomplished, means a lot 🙏
Balls. I even use this in my bashrc
# Function to set the title of the window
function retitle(){
echo -ne "\033]2;$1\007"
}
# Export to allow scripts to retitle the window they're run in.
export -f retitle
Haha rip ❤️🪦
Such an entertaining talk, with great implications.
Great job!
Thanks 🙏
what a freakin' incredible presentation ~ the timing so poignant and comedic, while never undermining the seriousness of the situation. i'd work with this guy
Yet another example of devs who are forced to be clever to keep a job doing stupid and unnecessary things that make no sense and are insecure.
my immediate thought after hearing about changing colours and needing to end the colour change with another escape sequence was that you could make all text the same colour as the terminal background. or maybe just some of the text
Great talk! Keep up the good work!
really great stuff man! i love the ideas building on ideas with comedy, awesome!
It’s a fine balance and a graceful dance to mix deep tech with comedy to entertain the neurodiverse mind.
25 years ago a friend of mine and me implemented a BBS/Chat-Server in plain Java (Java1.2 on linux it was) to replace an existing old c implementation variant which was not maintainable anymore as uni-project.
it never got live as the admins of the existing missed features and we did want to code further (after one and a half year extensive daily coding)without going live. we got our uni credits and we learned so much during that time
we played a lot with ESC sequences, cursors tabs backspace/delete full color mode and stuff, all stuff which was not possible or mediocre in the c implementation. we did a serverside ncurses like gui builder and and and.
and we made it optional to write colored logs Critical in bold red, Medium in yellow and status messages were green with esc sequences
all full bells and whistles...
at that time until your talk i saw yesterday, i never thought of abusing them for any evil stuff... man we were so naiv and good meaning :D
thx for the great talk and bringing back a lot of great memories
Only just got chance to watch this now. Great work Stök , and it was great to hear you talking again. I know it was a 40 minute talk, but I can't imagine the amount of hard work and time that went into that 🤘
Is this the guy behind all the stickers I used to see with that moniker? If so that’s super cool…
is polyglot from 25:22 public somewhere to download?
Yoo Stök!!
Youre amazing, one of the best !
What a legend. Wish I had a brain that worked like this. Also what a killer presentation!
Playing Discworld
Thats cooooolll!!!!
If you put it at .75 playback speed its a lot better
what is a real content?
nice ! best energy ever
Great talk!
This talk makes me scared of using cat! Every once in a while i open a binary log/file with cat accidentally and the terminal rightfully barfs at me for doing it. But i never imagined rouge escape sequences could actually cause that much damage when abused by an attacker! yikes!
Never heard of him, but he is quite a fun presenter. And I will never work with log files the same way again. I knew about these back in the day, and also what you could do with them on terminals because I use a lot of ncurses stuff,, but I never really thought of the impact they could have through injection.
Woohoo!!!! STOK great talk man!
amazing wow 👏👏👏👏
❤🙏✌️
You know what I hate?
When I ask for logs and get EDITED logs, because people think they can read logs themselves... they can not.
strings badlog.txt
[31mESC-INJECTION:
[32mSUCCESSFUL
How dare you mock us MUD players!
Talk doesn't start till ~6:45. Be warned, obscene amount of memes, GIFs, and such.
Also, what's old is new again. I guess showiness, having a brand and tons of followers is what gets you the ability to present talks.
Well yes and no, you still have to pass a peer review and provide either new research or as in this case, a fresh look at something old. having a personal brand and showmanship definitely helps, adding comedy and a fast paced visual flow keeps the audience attention. And yes you are right, my presentation style isn’t for everyone, and that’s ok, But thanks for taking your time to comment and leave feedback, appreciate it.
@@STOKfredrik I think the only thing I'd add in the future would be a bit more history on the on the ANSI escape sequences. I think that would be helpful for newer generations to understand some of that. The context you added about what each terminal prefers is fantastic, I feel like in general that's glossed over/obscure.
Also, your timing is fantastic considering the quantity of slides you presented. :)
Snyggt jobbat
Soo cool