Bugtraq mailing list archives
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
From: aaron () CS DAL CA (Aaron Campbell)
Date: Thu, 19 Aug 1999 13:55:26 -0300
On Sun, 4 Jul 1999, Michal Zalewski wrote:
Well, as this vunerability become well-known, I have nothing to loose, enjoy: most of terminfo-based programs will accept TERM variable set to eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap file', set TERM, then execute vunerable program w/terminfo support. In fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many other recent distributions based on terminfo entries/, is vunerable... And
That's nothing new, I pointed that out on Bugtraq nearly 2 years ago in November 1997. In fact, that's the same example I used (../../../tmp/x). On my test system at the time (Slackware), longer pathnames would be chopped off at the end. In general, I consider it dangerous for a program running with elevated privileges to trust a user-supplied terminfo/termcap file. Last year I found a buffer overflow in ncurses and OpenBSD was changed to not trust user-supplied term files when the invoked program is setuid/setgid. A reasonable precaution; too much could go wrong otherwise. I also discovered a divide-by-zero bug (again, tickled only by a malformed terminfo file), which isn't as serious, but could be used to crash some programs, etc. This was also reported and fixed... . : Aaron Campbell <aaron () cs dal ca> - [ http://www.biodome.org/~fx ] `-------------------------------------------------------------------
Current thread:
- Insecure use of file in /tmp by trn, (continued)
- Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
- Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
- IE 5.0 allows executing programs Georgi Guninski (Aug 21)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
- Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
- Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
- libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
- OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
- Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)