Comment by VMG
11 days ago
Note that this is much more dangerous than visiting a website. ANSI escape sequences can seriously mess with your system, RCE included.
11 days ago
Note that this is much more dangerous than visiting a website. ANSI escape sequences can seriously mess with your system, RCE included.
Note that this is much more dangerous than visiting a website.
Are you being hyperbolic or do you seriously think the attack surface area of ANSI escape sequences is 'much more' than, say, Javascrpt?
JavaScript has to escape the browser sandbox, does telnet have a similar sandbox? Or can it access the system directly?
I don't know the answer but if telnet can directly access the system that seems more dangerous irrespective of the attack surface.
Telnet is "sandboxed" in that it can only output characters to your tty, however that in itself is quite a powerful primitive.
The ANSI control characters wield power of a huge stack of not very robust code
https://nvd.nist.gov/vuln/detail/CVE-2024-56803
That's a very fair point, but on my system telnet is 211144 bytes. How big is a javascript runtime + browser + browser sandbox. I have no idea, but I'd be really surprised if it was less than 3 orders of magnitude bigger, and not at all surprised if it was 4 orders of magnitude bigger. There's just more places for things to go wrong.
And, telnet isn't installed by default on many systems. So...YMMV.