Bugtraq mailing list archives

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: lcamtuf () IDS PL (Michal Zalewski)
Date: Sun, 4 Jul 1999 03:19:38 +0200


On Sun, 4 Jul 1999, Michal Zalewski wrote:

[...] most of terminfo-based programs will accept TERM variable set to
eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
file', set TERM, then execute vunerable program w/terminfo support. In
fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
other recent distributions based on terminfo entries/, is vunerable...


Oh, haven't said, for clearance... I'm talking about terminfo support and
tgetent() function implemented in libncurses, which is buggy as well,
while ncurses allows '../' tricks.

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

Current thread:

Re: Internet Auditing Project, (continued)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)
  - Re: Internet Auditing Project CyberPsychotic (Aug 16)
  - Re: Internet Auditing Project Viljo Hakala (Aug 17)
  - Stupid bug in W3-msql gregory duchemin (Aug 17)
    - Re: Stupid bug in W3-msql David J. Hughes (Aug 19)
    - Httpd Logging Methods v0rt (Aug 23)
- Re: Internet Auditing Project David Luyer (Aug 15)
  - Re: Internet Auditing Project Peter J. Holzer (Aug 17)
  - [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
    - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)

(Thread continues...)