Bugtraq mailing list archives
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Sun, 22 Aug 1999 12:51:04 +0100
[blah blah]
November 1997. In fact, that's the same example I used (../../../tmp/x). On my test system at the time (Slackware), longer pathnames would be chopped off at the end. In general, I consider it dangerous for a program running with elevated privileges to trust a user-supplied terminfo/termcap file. Last year I found a buffer overflow in ncurses and OpenBSD was changed to not trust user-supplied term files when the invoked program is setuid/setgid. A reasonable precaution; too much could go wrong otherwise.
If that is the only check it is using then openbsd may well also be volnerable at least to part 2 of the bug if they use termcap/terminfo with their telnetd. Linux opens termcap and other files as the real not effective uid. For many of these files ignoring them isnt an option. Users get peeved when they discover suid programs run in a US time zone, with English texts and fonts. The problem with telnetd is that you can pass a terminal name that indicates 'use a local file'. Now the ncurses library then goes 'ok leading slash all well and good', Im not suid uid==euid, lets open it as root and read a few bytes. You can't do much with it - you can rewind the machines tape drive for example however. Also if your termcap parser has bugs you can hit those. It is a very nice example of why saying "lets ignore XYZ variable" is not security but a quick fix for emergencies. If you don't fix the code it will get you.. Alan
Current thread:
- Re: Insecure use of file in /tmp by trn, (continued)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
- IE 5.0 allows executing programs Georgi Guninski (Aug 21)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
- Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
- Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
- libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
- OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
- Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: Security Bug in Oracle Jonathan A. Zdziarski (Aug 27)
- [RHSA-1999:030-02] Buffer overflow in cron daemon Bill Nottingham (Aug 27)