Escape Sequences in Filenames are not Filtered

[mgerstner]

Filenames on Linux can contain arbitrary characters except for the path separator '/'. Thus filenames can also contain possibly dangerous characters like ASCII control codes (newline, linefeed, etc.) or even complete ANSI/CSI terminal escape sequences.

On the Croc receiver side the filenames communicated by the sender side are accepted unfiltered and are also output on stdout during transmission. When the latter happens, the escape sequences are interpreted by the receiver's terminal and can lead to colored text, moving the cursor around or - if an insecure terminal emulator setup is used - even arbitrary code execution can be achieved.

In particular this issue is a nice addition to issues #593 and #594, since it allows to hide filenames of previously transmitted files on stdout, therefore making the attack less conspicuous. This is an example of how this can be done:

# this moves the cursor up one line and performs a carriage return, thus
# overwriting the previous line on the terminal
sender $ touch "`echo -e '\033[1A\rharmless'`"
sender $ touch "evil"
sender $ croc send evil *harmless
[...]

receiver $ croc <shared-secret>
receiver $ Accept 2 files (0 B)? (Y/n) Y

harmless 100% |████████████████████| ( 0/ 1 B) 2/2

An interactive user will only see the "harmless" file, probably not noticing that a file seems to be "missing" in the output.

To fix this Croc should filter filenames on the receiver side and either reject or replace any unsafe non-printable characters.

[schollz]

Thanks, this would be a great PR to have

[mgerstner]

Mitre assigned CVE-2023-43620 to track this issue.

[aspann]

Shouldn't CVE-2023-43620 cover 9.6.6 as well?

[schollz]

fixed in this commit: a591833

discuss in #697