Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • aports aports
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare
  • Issues 733
    • Issues 733
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 329
    • Merge requests 329
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpinealpine
  • aportsaports
  • Issues
  • #13661
Closed
Open
Issue created Apr 02, 2022 by Martin Kaesberger@mkaesbergerContributor

netstat is vulnerable to escape sequence injection (busybox)

Hey there,

Alpine ships BusyBox with the netstat applet enabled. This is vulnerable to escape sequence injection when used from an VT compatible terminal. To exploit this vulnerability the PTR for a remote host must contain a escape sequence and the victim has to execute netstat. I've set up an example at [elided] with the PTR resolving to \027[33\;46mlocalhost.

$ dig -x [elided] @8.8.8.8

; <<>> DiG 9.16.25 <<>> -x [elided] @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59625
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;[elided]. IN PTR

;; ANSWER SECTION:
[elided]. 1 IN PTR \027[33\;46mlocalhost.

;; Query time: 55 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 03 00:11:16 DST 2022
;; MSG SIZE  rcvd: 132

If you try to ssh [elided] and run netstat -t while trying to establish the connection from a different terminal, the second terminal will change the background and font color. Other escape sequences may lead to code execution.

Edited Apr 03, 2022 by Ariadne Conill
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking