Bugtraq mailing list archives

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: aaron () CS DAL CA (Aaron Campbell)
Date: Thu, 19 Aug 1999 13:55:26 -0300


On Sun, 4 Jul 1999, Michal Zalewski wrote:

Well, as this vunerability become well-known, I have nothing to loose,
enjoy: most of terminfo-based programs will accept TERM variable set to
eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
file', set TERM, then execute vunerable program w/terminfo support. In
fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
other recent distributions based on terminfo entries/, is vunerable... And


That's nothing new, I pointed that out on Bugtraq nearly 2 years ago in
November 1997. In fact, that's the same example I used (../../../tmp/x).
On my test system at the time (Slackware), longer pathnames would be
chopped off at the end.

In general, I consider it dangerous for a program running with elevated
privileges to trust a user-supplied terminfo/termcap file. Last year I
found a buffer overflow in ncurses and OpenBSD was changed to not trust
user-supplied term files when the invoked program is setuid/setgid. A
reasonable precaution; too much could go wrong otherwise.

I also discovered a divide-by-zero bug (again, tickled only by a malformed
terminfo file), which isn't as serious, but could be used to crash some
programs, etc. This was also reported and fixed...

  .
 :  Aaron Campbell <aaron () cs dal ca> - [ http://www.biodome.org/~fx ]
  `-------------------------------------------------------------------

Current thread:

Insecure use of file in /tmp by trn, (continued)
- - - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
    - libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
    - OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
    - Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
  - Security Bug in Oracle Elias Levy (Aug 17)

(Thread continues...)