Whether such output can be exploited depends on the terminal program, and what that terminal does depending on escape codes that are being sent.
I am not aware of terminal programs having such exploitable features, and the only problem now would be if there is an unknown buffer overflow or something like that, that could be exploited.
With some older
hardware terminals this could be a problem as you programmed e.g. function keys with these kind of escape sequences, by storing a command sequence for that key in the hardware. You would still need a physical key-press to activate that.
But there are always (as Hauke so righfully marked ‘braindead’) people willing to add such a feature if it solves a problem for them, not understanding the loophole they create. In my experience with open source software is that, because of the many eyes looking at the code, this is less likely to happen as with closed source. (I remember that in the mail program on Silicon Grahpics’ Irix, in the mid ninetees, you could include commands to be executed on the receivers machine, real paths to executables, ….)
Most terminal emulators will send back some response, if they receive certain escape sequences (have a look at the xterm control sequences documentation). E.g., you can send
e[0c to a VT100-like emulator and it will send back the device attributes,
(This is probably what Keith observed.) But these answers are not arbitrary strings. Still, having an executable named
2c somewhere on your system that does something fatal is a bad idea.
Update: The risks are in fact bigger than I thought, due to the possibility to set the title of an xterm window and to send back the title using appropriate escape sequences (http://www.securityfocus.com/bid/6940/). In contrast to the example above, the title can be an almost arbitrary string.
This changes the terminal title in GNOME Terminal 3.6.1, unless overridden by something like PS1:
printf " 33]2;Script Kiddie was here 07"
Now open a new GNOME Terminal window to test the
printf " 33]2;Script Kiddie was here 07" > test.bin cat test.bin
Yep, this also sets the terminal title.
There used to be a security issue with an escape code resulting in the title being printed to the command line, so you could effectively create a file, which when
cated would print (I’m not sure if you could put a newline in there) arbitrary commands. Ouch!