“Unusual” Autorun exploit under Linux ;)

I am using Debian 8 but it was probably included in many distros.

An autorun-like “feature” can be found under certain circumstances using usb-devices command.

Those “cat” commands should be “cat -v”. I was specially worried with:

print_string() {
if [ -f $file ]; then
echo "S: $name=`cat $file`"

An example case would be a manufacturer filename with scape secuences on a dodgy USB device. I used the excellent Ubertooth One to test it but a 1.5 USD cp21x serial converter could be used inside a recycled usb flash case.

Most terminals have those problems fixed so this is not a big deal but better safe than sorry.

Quick test:

open a terminal window
echo -e "\e]2;a new terminal window title\a" > manufacturer
cat manufacturer

How to fix it fast:

cat usb-devices | sed s/cat/"cat -v"/ >usb-devices-fixed

Terminal Emulator Security Issues by HD Moore

CP21x AN721, how to change manufacturer name:

Have fun,


Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión /  Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )

Conectando a %s