From: Paul Robinson <PAUL@TDR.COM> Organization: Tansin A. Darcos & Company, Silver Spring, MD USA ----- Based on Information and Belief, on Tue, 19 Jul 1994 18:06:45 -0500 (CDT) Rob Quinn <rjq@phys.ksu.edu>, was alleged to have belched out the following: > talkd and walld both pass binary data (on Sun's at least). Here's some > source code I got from a friend. I informed Sun about the wall problem > several months ago. This source just sends a string to mess up your > fonts and such, but I've heard that some terminals have escape > sequences that will buffer strings and re-issue them as if the user > had typed them (I know there's an expression or term for that, but I > can't think of it). I searced for this sequence for xterm, but didn't > find one. I didn't look at any other terminal types. The term is 'keyboard redefinition'. > The date of this mail/source was June 9, so it's been out a while. Not to disparage your comments - because stuff like this should be reported if it could be dangerous - but on the 80x86 class MS-DOS based computer field, this is a known problem. The ANSI.SYS driver (ANSI.SYS is the terminal control feature which is essentially DEC's VT100 terminal control routines) that comes with MS DOS or PC DOS, allows someone to redefine the codes generated by keys. And because the codes are generally created by an escape sequence - usually escape followed by [ - whenever a message is sent to the terminal starting with that escape sequence, the ANSI.SYS driver does not directly display that data stream, but instead acts upon it, whether it be to move the cursor to a certain position or erase all or part of the screen, or, as can be done, remap the keyboard to generate certain functions such as programming the 'ENTER' key to generate the sequence 'FORMAT C:<CR>Y<CR>' or 'ERASE \*.*<CR>Y<CR>. (Now, Format requires you specify the volume id of the hard drive in order to reformat, so this isn't as dangerous, but the other could be bad.) I'm not trying to hide what the command sequence is, I just don't remember. The following is an example, it will NOT reprogram the keyboard, it is simply to explain that it's not that hard to do; something on the order of ESC [H0;6413"ERASE C:\*.*"13"Y"13; Where "0;64" is the internal key code for the F1 key. This would cause the F1 key, when pushed, to generate this sequence: <CR>ERASE C:\*.*<CR>Y<CR> which would erase all files in the root directory that don't have erase protection. Fortunately, MSDOS' ERASE command DOES NOT have the equivalent of UNIX's very dangerous 'rm -rf /' Many Unix utilities - such as the PINE mailer, which I am using now, and the NCFTP ftp program also generate ANSI control sequences in order to generate a formatted screen image. This was recognized as a problem because people can place comments in a ZIP archive file that is displayed when the archive is viewed or unpacked. As a result, this can cause all sorts of nasty problems. To compensate for this, new versions of PKUNZIP default to not generating ANSI codes unless enabled, and at least one release of a replacement ANSI.SYS driver (note: NOT FROM MICROSOFT OR IBM) that does not provide keyboard remapping is available. The point being that the PC world has been aware of this problem for about three years now. Software which is out there should reject keyboard redefinition commands because of the danger except under authorized conditions including a "password trigger". --- Paul Robinson - Paul@TDR.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy@psg.com> ----- The following Automatic Fortune Cookie was selected only for this message: "In defeat, unbeatable; in victory, unbearable." -- Winston Curchill, of Montgomery