Bugtraq mailing list archives

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Thu, 26 Aug 1999 22:52:19 +0200


On Sun, 22 Aug 1999, Alan Cox wrote:

The problem with telnetd is that you can pass a terminal name that indicates
'use a local file'. Now the ncurses library then goes 'ok leading slash
all well and good', Im not suid uid==euid, lets open it as root and read a
few bytes. You can't do much with it - you can rewind the machines tape
drive for example however. Also if your termcap parser has bugs you can
hit those.


In other words, the library gets no reliable information about the
trustworthiness of the data it works with (terminal name in this
particular case). Therefore it cannot reliably restrict its
functionality to a smaller and safer set.

It is a very nice example of why saying "lets ignore XYZ variable" is not
security but a quick fix for emergencies. If you don't fix the code it
will get you..


But it is also a quite effective preventive measure (to paraphrase one
saying: good programmers write code without bugs, great programmers write
code resistant to bugs) and a strong incentive to reduce the amount of
set-id code (I am afraid this itself is a very good reason to introduce as
many limitation as possible).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

Re: IE 5.0 allows executing programs, (continued)
- - - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
    - libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
    - OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
    - Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
  - Security Bug in Oracle Elias Levy (Aug 17)
    - Re: Security Bug in Oracle Jonathan A. Zdziarski (Aug 27)
    - [RHSA-1999:030-02] Buffer overflow in cron daemon Bill Nottingham (Aug 27)