Re: ncurses buffer overflows

["Harrington, Perry" <pedward () WEBCOM COM>]

This brings up an interesting piece of history.  When the whole LD_PRELOAD
haX0ring came about, people jumped on the wagon and fixed the ld library.

However, this same trick can be used by a SA to plug potential security
holes:

libary: ncurses_fix.c

        tparm(....)

                char    *buffer;

                buffer = __tparm(....);

                if (strlen(buffer) > OPT_SIZE) {
                        ack choke, exit proggie and log to syslog, email SA
                }

                return buffer;

        }

This is just a generic piece of code, but it can apply to any unchecked
parameter problem.

I would consider using this method on proprietary OSes that don't respond
quickly to potential threats.

So anyhow, compile into an SO (gcc -shared) and edit your preload file
in /etc.

--Perry

> static inline int
> onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw)
> /* onscreen move from (yold, xold) to (ynew, xnew) */
> {
>     char        use[OPT_SIZE], *sp;
>
>
> =2E.. a few lines later:
>
>     sp =3D tparm(SP->_address_cursor, ynew, xnew);
>     if (sp)
>     {
>         tactic =3D 0;
>         (void) strcpy(use, sp);
>
>
> OPT_SIZE seems to be defined as 512. tparm() can be made return a

--
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\