The CatInTheHat Attack

Guess what folks, it's no longer April 1st, joke is over: For those that are newer to Linux and Hacking we published an explainer video https://youtu.be/WB0Ll_AgVRo to help newbies understand more about what this joke was all about!


The CatInTheHat Attack uses a crafted input to exploit the popular /bin/cat software program. The software architecture suffers from a design pattern that enables leakage of sensitive information via arbitrary file content disclosure leveraging overt behaviors that exist when a file descriptor from open(2) is combined with use of the read(2) function.


Q&A

Am I affected by the bug?

You are affected if you use any UNIX-derived computing system, such as Ubuntu Linux, Red Hat Linux, Red Star OS, or macOS (even Linux releases prior to 1991). Installations of Microsoft Windows are unaffected as it is a commercial OS and not open source.

How can I track industry coordination on this? What is CVE-2021-M30W?

CVE-2021-M30W is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names managed by MITRE. Due to co-incident discovery among several teams of security researchers, multiple CVEs were assigned, but to prevent confusion going forward CVE-2021-M30W should be used.

What makes this bug unique?

Bugs in single software versions or libraries come and go and are patched by new versions. However this bug affects a huge number of devices and is caused by behaviors within POSIX libraries themselves, making it very difficult to fix. It should therefore be treated extremely seriously by all citizens of the world. Also migrating all enterprise systems to commercial OSes to avoid future security concerns with POSIX subsystems and open source software like /bin/cat may be a prudent security architecture decision for defense-in-depth.

What is being leaked?

The CatInTheHat Attack allows processes that are configured with privileges to write to the standard input buffer to inject characters into the shell subsystem and execute a crafted execution of the /bin/cat binary. This enables black hat hackers, DevOps teams, and rogue nation states to access confidential information such as password hashes, social security numbers, garbage files, and .rhost files.

Example exploit:
neo@z1on# cd;ls;cd;/bin/cat${IFS}/etc/shadow
root:$6$XE4EE1jk$EfhyiBYKZye2613yGGH26lREOrrbyDivVcRWi04I9fN2V.wM2Lcr5NbfR8KieBJ.Fn7K80GhxHTjtFeVWhxja1:0:14600:14:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
phcadmin:!!:17289:0:99999:7:::

How can I ensure my code is not vulnerable?

Our friends at r2c created a Semgrep rule to detect if your code is vulnerable to this attack. Check out the CatInTheHatAttack rule in the live editor or simply run this command to scan your code using Semgrep: docker run --rm -v "${PWD}:/src" returntocorp/semgrep --config s/daghan:catinthehatattack

How can I inform other stakeholders of the severity of this bug?

We know that it is often difficult to get non-technical management and project managers to appreciate the risk of a security bug. Therefore we have designed premium merchandise to help market this attack:

How does this relate to the 😾😾😾 "Thangrycat" disclosures?

Despite the name, this vulnerability actually has nothing to do with the award-winning 😾😾😾 research but we agree with their cat themed vulnerability marketing™.

Is there a bright side to all this?

No. Everything is vulnerable and the world is on fire. Just kidding, happy April 1st!

Why would you do this and who are you?

This was a joint industry-wide project involving thousands of companies and the CERT teams of multiple planets. This multi-planetary advisory project was led by the IncludeSec security research team with sense of humor support from companies such as r2c.

This joke site is a reaction to those who seek to publish security research in ways that are only focused on branding and aren't constructive towards the overall goal of helping developers secure systems. We encourage security researchers to continue their efforts revealing security mistakes, challenges, and concerns....but also want to encourage support for developers and defenders. Solutions and guidance on fixes are important!

Our message is: Don't just make a vuln logo, let's all work together to enable developers to make more secure software :-P