Bugtraq mailing list archives
bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c
From: aleph1 () DFW NET (Aleph One)
Date: Sun, 16 Mar 1997 14:56:23 -0600
Path: news.reference.com!arclight.uoregon.edu!su-news-hub1.bbnplanet.com!cam-n ews-hub1.bbnplanet.com!news.bbnplanet.com!news.maxwell.syr.edu!newsfeed.nacamar .de!news.space.net!news.camelot.de!gateway From: kivinen () ssh fi Newsgroups: muc.lists.freebsd.bugs Subject: bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c Date: 14 Mar 1997 04:08:32 +0100 Organization: Mail2News Gateway at Camelot Online Services Lines: 86 Sender: news () camelot de Approved: news () camelot de Message-ID: <199703140243.EAA27893 () taulu ssh fi> Reply-To: kivinen () ssh fi NNTP-Posting-Host: lancelot.camelot.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Xref: news.reference.com muc.lists.freebsd.bugs:967
Number: 2983 Category: bin Synopsis: Security bug (buffer overflow) in lib/libterm/tgoto.c Confidential: no Severity: serious Priority: high Responsible: freebsd-bugs State: open Class: sw-bug Submitter-Id: current-users Arrival-Date: Thu Mar 13 18:50:01 PST 1997 Last-Modified: Originator: Tero Kivinen Organization:
SSH Communications Security
Release: NetBSD 1.2, FreeBSD 2.1-STABLE Environment:
System: NetBSD taulu.ssh.fi 1.2 NetBSD 1.2 (TAULU) #50: Mon Feb 24 21:40:52 EET 1997 kivinen () taulu ssh fi:/usr/src/sys/arch/i386/compile/TAULU i386 System: FreeBSD pilari.ssh.fi 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #1: Thu Oct 3 1 23:58:19 EET 1996 root () lamppu ssh fi:/usr/src/sys/compile/SSHGEN i386
Description:
The termcap libraries tgoto function has buffer overflow bug that can be used to overwrite data in BSS segment. The tgoto have function have static char result[MAXRETURNSIZE] (64 characters) buffer that is used to return cursor addressing string from tgoto function. If the CM-cabability have more than 64 characters in it the tgoto function will overwrite something in the bss segment after result-variable. There are no checks about the length of cm string nor checks if the resulting string is longer than MAXRETURNSIZE characters. For example suid root system utility "systat" is vulnerable to this bug. No known exploits of this exists yet, but someone might find such. Also lots of systems have other suid root/kmem etc program installed that are vulnerable to this bug. For example top and monitor are such programs. Easiest way to demonstrate this is to change TERMCAP environment variable and add some about 80 characters to cm-capablitie and then start anything that uses curses or termcap directly (initscr in curses library will call setterm that will call tgoto to test if we can move cursor around...). The fix in netbsd current that changes the strcpy at the end of tgoto-function to strncpy isn't sufficient, because the dp pointer might already be way over the length of result buffer thus "sizeof(result) - (dp - result) - 1" results to negative value. Notice that fix in netbsd-current also may return non null terminated string, thus causing unexptected behavior later.
How-To-Repeat:
~> TERMCAP='xterm|vs100|xterm terminal emulator (X11R6 Window System): :am:km:mi:ms:xn:xo: :co#80:it#8:li#25: :AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@: :LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:ae=^O:al=\E[L:as=^N: :bl=^G:cd=\E[J:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dHsakdjaskjdaslkjdlaksj dlkjdslkjdakljdakljdlalkjasdlkjasdlkjasdlkaslkdaslkjdlksjadkljasdjklasdjklasdlk jaskld: :cr=^M:cs=\E[%i%d;%dr:ct=\E[3k:dc=\E[P:dl=\E[M:do=^J: :ei=\E[4l:ho=\E[H:ic=\E[@:im=\E[4h: :is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;3;4;6l\E[4l: :k1=\E[11~:k2=\E[12~:k3=\E[13~:k4=\E[14~:k5=\E[15~: :k6=\E[17~:k7=\E[18~:k8=\E[19~:k9=\E[20~:kI=\E[2~: :kN=\E[6~:kP=\E[5~:kb=^H:kd=\EOB:ke=\E[?1l\E>: :kh=\E[@:kl=\EOD:kr=\EOC:ks=\E[?1h\E=:ku=\EOA:le=^H: :md=\E[1m:me=\E[m:mr=\E[7m:nd=\E[C:rc=\E8:sc=\E7: :se=\E[m:sf=^J:so=\E[7m:sr=\EM:ta=^I: :ue=\E[m:up=\E[A: :us=\E[4m:' ~> export TERMCAP ~> systat zsh: 27863 bus error systat ~>
Fix:
Add check that result buffer isn't overflown. -- kivinen () iki fi Work : +358-9-4354 3205 Magnus Enckellin kuja 9 K 19, 02610, Espoo Home : +358-9-502 1573
Audit-Trail: Unformatted:
Current thread:
- Re: Internet Explorer Bug #4 Dominique Brezinski (Mar 14)
- Re: Internet Explorer Bug #4 Paul (Mar 16)
- bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c Aleph One (Mar 16)
- Re: Internet Explorer Bug #4 Aaron Spangler (Mar 18)
- <Possible follow-ups>
- Re: Internet Explorer Bug #4 Alain Thivillon (Mar 15)
- Re: Internet Explorer Bug #4 Steve Birnbaum (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)
- Re: Internet Explorer Bug #4 Rubens Kuhl Jr. (Mar 15)