David Leadbeater

You have a bash command line of "exec program ..." and you control "..." can you make it do something different? What if it is somewhat sanitised for shell metacharacters? If you can inject $[+] it will make bash error on that line and run the next. 👀 dgl.cx/2025/10/bash-a…

I'll be speaking at BSides Canberra: cfp.bsidescbr.com.au/bsides-canberr… -- this will cover my recent find of an RCE in Git (dgl.cx/2025/07/git-cl…) and how that and some other vulnerabilities could be used against developers.

@b1ack0wl @trshpuppy @CVEnew If anything it's a lesson that drawing conclusions from the CVE write-up is fraught with danger. There's a demo of one possible attack vector in my write-up at dgl.cx/2024/12/ghostt… which does not need the user to press enter, although it is configuration dependant.

@trshpuppy @CVEnew "followed by convincing the user to physically press the "enter" key" lol, lmao even

CVE-2024-56803 Ghostty is a cross-platform terminal emulator. Ghostty, as allowed by default in 1.0.0, allows attackers to modify the window title via a certain character escape seq… cve.org/CVERecord?id=C…

@solaticlunatic @CVEnew There are some possibilites for an exploit without the user pressing enter, or social engineering (e.g. using invisible text). I did a write-up with one configuration dependant exploit at dgl.cx/2024/12/ghostt…

@CVEnew “ This attack requires an attacker to send malicious escape sequences followed by convincing the user to physically press the "enter" key.” “Click enter, I double dare you” 😂

New blog post: Ghostty 1.0.0 terminal security; dgl.cx/2024/12/ghostt… (CVE-2024-56803)

@GlennPegden @stiggle @stokfredrik Another one to check is reverse DNS; even on modern systems. macOS’s traceroute wasn’t escaping until quite recently (I reported it about this time last year and they fixed it sometime after that, although it lowercased everything so was hard to actually exploit)

@GlennPegden @stiggle @stokfredrik One fun in DOS with ANSI.SYS loaded is disk labels can have ANSI escapes in them (at least with CDs made with mkisofs, native DOS tools don't let you, but I suspect a hex edit works). The result is I have a CD where simply typing "dir" on it redefines enter so it nearly autoruns!

Latest write up from @davidgl detailing his research into terminal escapes and the 10 ‼️ @NISTcyber CVEs that had potential for remote code execution. @defcon @MSFTBlueHat @_everythingopen @linuxaustralia @linuxfoundation #opensource #cybersecurity gresearch.com/blog/article/g…

@GlennPegden @stiggle @UKCougar @tobyontour @stokfredrik Thanks :) One of the things I didn’t quite have time to explicitly into in my talk, is back in the day people were more aware of this. It turns out various basic tools which did do escaping in the past have just lost it.

For once a non-security terminal thing. I'm sure someone else has written this but I couldn't find it; here's a simple script that makes commit IDs in "git log" clickable (in many terminals): gist.github.com/dgl/ef848e75c0…

@GeoffreyHuntley @_everythingopen @LaTerminalApp I looked at that. Underneath @LaTerminalApp uses SwiftTerm and I found github.com/migueldeicaza/… — @migueldeicaza fixed it very quickly!

Thank you to everyone who attended my @_everythingopen talk, with more of my terminal research. I've published the Docker image PoC that I demoed, see @dgl/110019782401240586" target="_blank" rel="nofollow noopener">infosec.exchange/@dgl/110019782…

David Leadbeater @davidgl from G-Research has taken the #BlueHat stage for his talk: Houdini of the Terminal.

📣 Speaker Announcement 📣 David Leadbeater @davidgl, software engineer at G-Research, will be speaking at #BlueHat this week. David’s talk will explore over 20 years of terminal vulnerabilities, from attacks via Apache's log files to attacking via Kubernetes. 👏

@raphink @AWS_Snarkitect @urlichsanais Why not just let your untrusted users run a service called ‘google’ in a namespace called ‘com’

🚧Let's play a game: Pitch me critical Kubernetes misconfiguration -- not why I should avoid them but why I MUST have them 👀

@karldyson I can offer you a @bitfolk referral code ;)

Oooooo, the control panel says it’s up and running… …but I can’t ssh, so I tried a ping which doesn’t respond, so I tried the VM console, which gives me “Something went wrong, connection is closed”

Still getting a fatal “We’re sorry, your server can’t be started at this time due to a platform error” Can only assume @bytemark’s server move isn’t going well. Meanwhile my email and websites are down 🙄 Starting to regret not finding time to jump ship sooner 😢

@isomer @jlbec PS: I'm no expert on this, I just happen to have the plan 9 tools installed to play with...

@isomer @jlbec Except not quite, because the default ifs means that parses as a list, so: % echo --`{uname -sr} --Darwin --21.6.0 % ifs=' ' # only newline % echo --`{uname -sr} --Darwin 21.6.0 [except now multiline output repeats the arg, maybe you meant that?]

I'm playing with parsing the syntax for my shell. I'm aiming for something interesting/innovative/thought provoking rather than the usual borne shell compatibility. I'm rather intrigued by plan9s rc syntax, but I figure I should open the floor for suggestions for syntax.

@techpractical @TokenScandi raw.githubusercontent.com/missive/emoji-… grep for /joint/

@techpractical @TokenScandi Unicode does have some lists of alternatives, but I don't believe for emoji; this seems to be coming from github.com/missive/emoji-… in mastodon's case... most emoji pickers (even on phones) have some custom list of words