[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

40.0. "Dangerous Escape Sequences" by Vaxuum::DYER () Sat Jul 28 1984 00:30

	VMS V4 has taken the decidedly wise step of not passing ESCAPE
and other such characters through in REPLY and MAIL.  There are still a
few holes here and there, though, and they leave plenty of opportunities
for hackers to abuse.
	So be forewarned:  If your product is displaying things, try to
filter non-printing characters out.

	Here are some of the dangerous things I've come across:

	    o ^E - This causes the contents of a VT100-class terminal's
	      answerback buffer to be transmitted to the host.  Thus, if
	      one were to sneak into your cubicle, put a devious command
	      in your answerback buffer, and send a ^E to you when you
	      were logged in, they could do nasties.

	    o There's an undocumented escape sequence that will set the
	      contents of the answerback buffer, but I don't know what
	      it is.

	    o If you have a terminal with a port for a printer in it,
	      don't leave a loopback connector in it!  (A loopback con-\
	      nector is an RS232 plug with a keychain-thingy coming out
	      of it.)  If you do, something nasty will happen when some-
	      body sends the following escape sequence to your terminal:
			<ESC>[5i nasty-things <ESC>[4i
	      Theoretically, these escape sequences are supposed to send
	      the "nasty-things" text to the printer.  If you have a loop-
	      back connector in that port, though, the text will loop back
	      to the terminal and be submitted as input to the host.  Up
	      to 100 characters are buffered.

	The following aren't as harmful, but you don't want them being sent
to your terminal:\

	   o <ESC>[154q (and, I think, <ESC>[137q) - Your VT100 goes off
	     like a siren.  You have to reset (SET-UP 0) the terminal.

	   o <ESC>[155q (and, I think, <ESC>[138q) - Your VT100 has ultra-
	     sensitive autorepeat.  If you've got keyclick on, it sounds
	     like musical notes.  You have to reset the terminal.

	   o <ESC>[2;ny (where 9 <= n <= 15) - Your VT100 goes into self-\
	     tests forever.  Forever means "until you turn it off".

	Escape sequences can be dangerous.  Watch out for them.
		<_Jym_>
T.RTitleUserPersonal
Name
DateLines
40.1LATOUR::AMARTINSat Jul 28 1984 15:338
The ^E hack is bad because namy terminal's answerback buffers contain the
owner's account name and password.  I know many people who log in by turning
on their VT100 and hitting control/break, which sends the sequence.

I have the DFO3 commands for dialing the LCG SWE data switch in my home
terminal, but my terminal at work doesn't have anything in it.

				/AHM
40.3LOGIC::PUDERMon Jul 30 1984 18:1619
Results of experiment on base note data:

	<ESC>[nq
	Where n is:	Does:
	154 or 136		beep continuously (SETUP 0 to stop)
	155 or 137		keyboard repeat is fast

	<ESC>[2;ny
	Where n >= 8 does test-until-failure.
	Add 1 to do power-up test,
	add 2 to do data loopback test,
	add 4 to do EIA test.

If you give a number greater than 8, the terminal actually does the tests,
and so may stop, if there is a failure (such as the absence of a loopback
connector in the terminal). Using 8 assures lockup, since the null test
always succeeds. (Terminal shows "Wait". Cycle power to stop it.)

	Karl.
40.4LATOUR::AMARTINTue Jul 31 1984 02:2412
Re .3:

I had always used <ESC>[163q to get the continuous beep.  Note that
136, 154 and 163 are all terms in the sequence 100+9n.  Well, I tried
145, and that worked too.  I would have to look at a VT100 card to
figure out what this really comes from (though I have been told that
it is because of a lack of a range check which can result in certain
fields overflowing into neighboring bits in the innards).  This is all
primitive compared to what someone who has access to the terminal
microcode can tell us.  Does anyone have the lowdown (this is so well
known that someone in the audience must).
				/AHM
40.5VAXUUM::DYERWed Aug 01 1984 04:122
	I've always heard it was undocumented.
		<_Jym_>
40.6LOGIC::PUDERWed Aug 01 1984 19:1522
More <esc>[Nq hacking:

The formula for N seems to be
L3 on:			128 + 5 + (9 * n)
L4 on:			128 + 6 + (9 * n)
siren:			128 + 8 + (9 * n)
repeat:			128 + 9 + (9 * n)
local light:		128 + 10 + (9 * n)	% Actually stays on line.
kdb locked light:	128 + 11 + (9 * n)	% Does not really lock kbd.
L1 on:			128 + 12 + (9 * n)
L2 on:			128 + 13 + (9 * n)
where n>=0 but N<256.

I haven't checked the entire range from 133 to 255, just representative
samples and the boundary cases.

Does this give anybody any ideas about how this happens?
Does anything happen for N = 128 + 7 + (9 * n)?
For N>256?
Does it matter?

	Karl.
40.7XENON::GAUDREAUThu Aug 09 1984 15:256
   Since I'm new to this file, I'll give a goody too.  The ^S character can
get through mail on V4.  On Vt100's, a double <Setup> fixes things but on
other types of terminals (vt200+++) things are a little more difficult...

 Joe
 -=-
40.8VAXUUM::DYERThu Aug 09 1984 21:394
	[RE .7]:  Gee, I always turn ^S off with ^Q...
	I sent a message about a year ago to the head of VMSmail, telling
him to watch out for control characters like ^E and ^S.  Heavy sigh...
		<_Jym_>
40.9JAWS::PKAISERMon Sep 24 1984 14:2410
I simply repeat this here for what it's worth, hoping that I'll hear back when
someone experiments with it, "the black hole":

	(ESC)<(ESC)[?4h(30 CR-LFs)(ESC)<(ESC)[?4l(30 CR-LFs)

My original note on this (from a friend) says "What happened to your cursor?
Try a directory listing.  Try putting this sequence on your terminal several
times and see how many cursors you can make appear."

---Pete
40.10QUILL::NELSONMon Sep 24 1984 16:585
RE: 9:
    This is a known bug that appears when switching to/from soft/hard scroll.
    I'm not sure of the exact conditions under which it occurs.

    				JENelson
40.11JAWS::PKAISERWed Sep 26 1984 12:091
What are some other "known bugs" and their effects?
40.12NEWTON::REUTERSat Sep 29 1984 05:0511
The escape sequence for "ultra sensitive repeat" is not 
ultra-sensitive-repeat.  It is "turn off software key debounce".

I was also told by an expert on this subject that there is an
escape sequence that changes the character sent by the return
key.  Forever.  In the non-volatile storage.  Until you supply
another escape sequence that restores normal CR action.

I don't know what it is, and I wouldn't put it here if I did anyway!

	Jim
40.13SPRITE::OSMANTue Apr 23 1985 18:1919
For those of you still on vt100's (I've migrated to a vt241), you may enjoy
my VT100 procedure.  My favorite feature in it is "QUACK".  To get the procedure
just do this:

	$ COPY SPRITE::DRB1:[OSMAN.COMFILES]VT100.COM *

I suggest you define a VT100 command, like this:

	$ VT100 == "@your-disk:[your-dir]VT100"

Then, try things such as

	$ VT100 QUACK
	. . .
	$ VT100 HELP

Enjoy.
/Eric

40.14TAHOE::JENSENSat Aug 03 1985 04:55102
40.15VAXUUM::DYERMon Aug 05 1985 03:532
	[RE .14]:  Which terminals is that nasty on?
		<_Jym_>
40.16SNOV10::QUODLINGMon Aug 05 1985 08:314
It turns the character set on a VT200 series into a collection of fly 
droppings.

Q
40.17TAHOE::JENSENWed Aug 07 1985 16:272
To be more precise, a character set whose pixels were generated by a uniform
random number generator set for 10% white space.
40.18SNOV10::QUODLINGThu Aug 08 1985 02:337
>To be more precise, a character set whose pixels were generated by a uniform
>random number generator set for 10% white space.


Stil looks like fly sh*t to me!

Q :-)
40.19Another escape sequence15491::ROTHBERGMon Jul 13 1987 06:5418
                This is  entered  a  little  late,  but  there is
                another undocumented VT100 escape sequence that I
                used to know.   I haven't touched the terminal in
                so long though, I have  forgotten  it.  It caused
                the  terminal  to  alternate  between normal  and
                reverse video mode no matter what you were doing.
                It was a real headache causer.  I  think  it  was
                something like :
                
                print chr$ (155%) + "[6;71y"
                
                or something like that.  I can't test it  because
                I no longer have access to a vt100 (awwww).
                
                - Rob
                
                
40.20exitSMAUG::MENDELTue Jul 14 1987 12:386
    What do you get when you print <ESC>#8 on a VT220? 
    
    I mean, I can see it too, but is there a rational explanation?
    (Yes, you can try it ... its safe, I promise.)
    
    Kevin
40.21EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEREGAL::DIAMONDThis mall needs more storesTue Jul 14 1987 13:026
    It's called DECALN (Screen Alignment Display, DEC private sequence).
    From the VT100 user's guide, "This command fills the entire screen with
    Es for screen focus and alignment.  This command is used by DEC
    manufacturing and Field Service personnel." 
    
    Dave 
40.22An early and dangerous hackTELCOM::MCVAYPete McVay, VRO TelecomWed Jul 15 1987 18:418
    There used to be a DEC private sequence on the early VT100's that
    would repeat the self-test endlessly.  It was meant to test terminals
    that were failing for no apparent reason.  As soon as this code
    was discovered, it got sent out in letter bombs (back when MAIL
    accepted escape sequences) with a sequence that would lock it in
    to non-volatile memory.  That is, turning off your terminal wouldn't
    make the problem go away.  The private sequence was removed from
    later versions.
40.23ctrl-t ?MTBLUE::PFISTER_ROBFri Jul 17 1987 15:225
    Another silly place to imbed escape sequences is in your process
    names.  Most things like show system strip them, but ctrl-t dont.
    About the only use I found is a sneaky way to clear your screen.
    
    Robb