Writing

Feed Software, technology, sysadmin war stories, and more.

Wednesday, December 26, 2018

The other kind of "flash" that we used to worry about

As time goes by, some of my references become more and more dated. Sometimes, I'll rattle something off only to soon realize that the other person has no idea what I was talking about. It's almost always because they are from a different generation, and have had their own set of problems to deal with when it comes to computers. There's overlap, sure, but there are things which are uniquely "mine" or "theirs", too.

This time, though, the term isn't a modem thing like line noise, but it does involve terminals. This one... is about flash.

Odds are, if I mention flash, you're probably thinking of the thing that you used to need in your browser to watch YouTube videos and play various amusing games. It's also the thing which was chock-full of security holes, needed patching constantly, and touched off an epic tug-of-war between Apple (who refused to put it in iOS) and Adobe.

This is not about that flash. This is something entirely different.

No, for this one, you need to set your wayback machine to the mid-90s. Unix boxes were legion at various academic institutions, and they actually tended to have multiple distinct human users on them at any given moment. People would rsh, rlogin, telnet, and later, ssh, to get to their account. They'd be running around doing stuff in their shells, copying files around, writing code, looking at Gopherspace or other (text-based) parts of the web, FTPing files, or maybe even... chatting.

Back in those days, you could do something like this...

$ talk rachel

... and I'd get a pop-up on my session(s) saying that so and so wanted to chat with me.

Message from Talk_Daemon@mybox at 17:25 ...
talk: connection requested by other_user
talk: respond with:  talk other_user

This worked by way of a talk daemon (talkd, ntalkd, or the like) which just sat there waiting to be poked with a chat request. When it got one, it would open your tty and would just write a bunch of stuff to it directly to deliver a notice much like the one shown above.

What's more, since this worked over TCP/IP, you could do it over the network. You could just as easily say "talk rachel@otherbox" or even "talk rachel@otherbox.othercity.example.com" or whatever you wanted. As long as you both had the talk daemon running, it would just work.

If you're now thinking "hey, I bet I could use that to put random crap on the screen of the other person by crafting my own talk request packet", you're on the right track. Your chat request to the other person specified details of how they were to connect back to you. What if you supplied utter garbage?

This is basically what flash did. It would connect to the talk daemon on a target's machine, and would say that (garbage string) was trying to talk to the target's account. If the daemon was running, didn't have protection against such foolishness, and the target had messages enabled ("mesg y" or the equivalent permissions on their tty), it would deliver it.

"So I could call them a boogerhead, so what", some might think. Ah, yes, well, terminals are tricky. They don't just render alphanumeric characters. Many of them support all kinds of interesting escape sequences to allow you to do more than just append plain text to the screen. You can do things like... change the background color, or make things actually blink (hence "flash") sometimes, or change the character set, or clear the screen, or play wacky sounds sometimes, and so on.

A typical use case was to point this at someone who was bothering you on IRC or a similar multi-person system. Their terminal would get completely screwed up and they'd be unable to see what was going on. They'd usually have to suspend the program and hope they could blind-type out a "reset" and hope that was enough to bring it back. Or, on other systems lacking such tools, see if they can somehow rig up a "echo ^[[0m" and/or "echo ^O" and hope those were enough to undo the damage.

Frequently, they'd just close the session and would start over. This would shut down their processes attached to that tty (think "hangup"!) and they'd disconnect from IRC, or the MUD they were using, or whatever.

This could be repeated ad nauseam until the poor target gave up, the attacker got bored, or (more likely) some sysadmin types got involved and started cracking heads. It could really ruin someone's day if they had Actual Work to get done on their account.

So, to bring this full circle, the other day, someone remarked their terminal was being weird, and I said "oh, you got flashed, huh?"... to which their response was just confusion. I was using it to refer to the general case where something leaves the terminal in a bad state and it's screwed up as if you had "gotten flashed" by an attacker back in the old days. Obviously, nobody actually gets hit by that any more, since talkd and friends are obsolete.

I mean... nobody really runs talkd and friends any more... right?

I should mention that there have been many variants on this theme. You could jam those same fun escape sequences into a mail and wait for good old biff (the comsat daemon, really) to announce the incoming message on their tty.

Some of the attacks assumed people were using a terminal program which had an "autoreceive" feature for file transfers. Such a program would wait to see a certain string emitted by a zmodem implementation and would then kick off their own zmodem in receive mode. This way you could just "sz foo.tar" from your session and the terminal would automatically do the right thing.

Of course, if someone "flashed" you with a Zmodem start sequence, your terminal would go off and start it up and you'd be effectively cut off from your session until you managed to abort it. If they sent a bunch of them in a row, you might be there a very long time.

There were also variants which apparently made use of old-school SunRPC-based things like rwall. Not as many people seemed to run portmap and rpc.rwalld, and it didn't seem as well-known in my circles. I only discovered "wallflash" while digging around to clarify some of my own memories to write this post.

I should point out that this attack was all about pushing bytes at you, and had nothing to do with getting you to emit bytes back over your connection. There's a whole other class of attacks which circulated around the same time which involved cheap modems which didn't do the right thing to handle their own local escape sequences.

Maybe I'll write about that some other time.