[kjetil]

Even without such vulnerabilities, I would be wary of printing out stuff from any untrusted files in a terminal. Most terminal emulators have been vulnerable to escape character attacks at some point.

http://marc.info/?l=bugtraq&m=104612710031920 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2383

[panzi]

But I don't think that strings will print escape characters. It's the point of strings to extract printable ASCII characters. Or am I mistaken?

[theoh]

No, you're right, I think the parent comment was referring to using cat or grep on binaries.

[malka]

even on 'valid' binaries, it still tends to mess up your terminal. I noticed that pretty quickly when I started working with Linux. Are there really people that work with cat and grep on binaries files ?

[theoh]

Perhaps not intentionally, but cat has valid uses for concatenating binary files and sometimes they end up going to the terminal just by accident. As far as grep goes, the answer to your question is "yes": http://stackoverflow.com/questions/9988379/how-to-grep-a-tex...

[panzi]

Of course you can use grep on binaries perfectly save, if you just don't print all the results to the terminal. Use `grep -lr <pattern> <dir>` to find binaries that contain a certain pattern, use `grep --byte-offset --only-matching --text <pattern> <file>` to find the offsets in a file.

[ams6110]

Grep even explicitly supports it with the -a (--text) option that forces it to treat a binary file as text.

[wslh]

It reminds me one bug I have published earlier in Bugtraq in 1999: http://archives.neohapsis.com/archives/bugtraq/1999-q3/1113....

I wrote a buffer overflow exploit at that time.