Bugtraq mailing list archives
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Thu, 26 Aug 1999 22:52:19 +0200
On Sun, 22 Aug 1999, Alan Cox wrote:
The problem with telnetd is that you can pass a terminal name that indicates 'use a local file'. Now the ncurses library then goes 'ok leading slash all well and good', Im not suid uid==euid, lets open it as root and read a few bytes. You can't do much with it - you can rewind the machines tape drive for example however. Also if your termcap parser has bugs you can hit those.
In other words, the library gets no reliable information about the trustworthiness of the data it works with (terminal name in this particular case). Therefore it cannot reliably restrict its functionality to a smaller and safer set.
It is a very nice example of why saying "lets ignore XYZ variable" is not security but a quick fix for emergencies. If you don't fix the code it will get you..
But it is also a quite effective preventive measure (to paraphrase one saying: good programmers write code without bugs, great programmers write code resistant to bugs) and a strong incentive to reduce the amount of set-id code (I am afraid this itself is a very good reason to introduce as many limitation as possible). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: IE 5.0 allows executing programs, (continued)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
- Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
- Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
- libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
- OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
- Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: Security Bug in Oracle Jonathan A. Zdziarski (Aug 27)
- [RHSA-1999:030-02] Buffer overflow in cron daemon Bill Nottingham (Aug 27)