Re: mc & Segmentation fault

[sw3wn () CSOFT NET (Sw3)]

shaman wrote:
> Some days ago i discovered something..If you export TERM with the name for
> example "buqtraq" and you will start Midnight Commander you will see
> something like this:
>
> localhost:~$ export TERM="bugtraq"
> localhost:~$ mc
> Unknown terminal: buqtraq
> Check the TERM environment variable.
> Also make sure that the terminal is defined in the terminfo database.
> Alternatively, set the TERMCAP environment variable to the desired
> termcap entry.
>
> But if the name of the TERM will include over 227 characters you will see
> something different:
> localhost:~$ export TERM="bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
>      bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
>      bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
>      bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
>      bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
>      "
> localhost:~$ mc
> Segmentation fault
> localhost:~$
>
> I don`t know if it is interesting and i haven`t try do exploiting it but
> maybe someone....
> I have tested it only on Slackware 3.5.


This is clearly a buffer overflow, but not a security compromise, since
it's
not remote exploitable nor suid anything.

I checked it out, it seems to be a stack overflow, ie. the program
counter is just next to it, quite common.  I contacted the authors about
it.

--
   Julien Nadeau      | sw3wn () csoft net
  Proof of concept    | "A complex solution to a simple problem"
http://poc.csoft.net  | [http://www.csoft.net/~sw3wn]