Bugtraq mailing list archives
Re: ncurses buffer overflows
From: "Harrington, Perry" <pedward () WEBCOM COM>
Date: Mon, 9 Oct 2000 17:22:34 -0700
This brings up an interesting piece of history. When the whole LD_PRELOAD haX0ring came about, people jumped on the wagon and fixed the ld library. However, this same trick can be used by a SA to plug potential security holes: libary: ncurses_fix.c tparm(....) char *buffer; buffer = __tparm(....); if (strlen(buffer) > OPT_SIZE) { ack choke, exit proggie and log to syslog, email SA } return buffer; } This is just a generic piece of code, but it can apply to any unchecked parameter problem. I would consider using this method on proprietary OSes that don't respond quickly to potential threats. So anyhow, compile into an SO (gcc -shared) and edit your preload file in /etc. --Perry
static inline int onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw) /* onscreen move from (yold, xold) to (ynew, xnew) */ { char use[OPT_SIZE], *sp; =2E.. a few lines later: sp =3D tparm(SP->_address_cursor, ynew, xnew); if (sp) { tactic =3D 0; (void) strcpy(use, sp); OPT_SIZE seems to be defined as 512. tparm() can be made return a
-- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Current thread:
- ncurses buffer overflows Jouko Pynnönen (Oct 09)
- Re: ncurses buffer overflows Harrington, Perry (Oct 10)
- Re: ncurses buffer overflows Brett Lymn (Oct 10)