Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: in.telnetd bug (linux)

From: aaron () ug cs dal ca (Aaron Campbell)
Date: Thu, 27 Nov 1997 17:22:51 -0400

This post made me a little curious so I did some investigating.

I tried setting my TERM variable: export TERM="../../../home/fx/mytermfile"

(I needed to move three parent directories backward to the root directory
since on my Slackware box the database is located in /usr/lib/terminfo.)

[16:24:42] aaron@ug:~$ export TERM="../../../home/fx/mytermfile"
[16:24:53] aaron@ug:~$ telnet XXX.XXX.XXX.XXX
Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.
Connection closed by foreign host.
[16:25:21] aaron@ug:~$

Examination of the /core file dumped by in.telnetd (strings core) revealed
this line:

/usr/lib/terminfo/./../../../home/

It was cut off. Notice there is apparantly enough room for ../../../tmp/x
though.

cp /usr/lib/terminfo/v/vt100 /tmp/x

Set our TERM variable again: export TERM="../../../tmp/x"

Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.

Linux 2.0.32.

login:

It worked. This also works:

cp /usr/lib/terminfo/v/vt100 /home/fx/vt100
ln -s /home/fx/vt100 /tmp/x

...and using the same TERM variable, in.telnetd will acknowledge the
copied /home/fx/vt100 terminfo file.

So the question is, how dangerous could a user-supplied terminfo file be?

  .  _  _  _ _ . .   _ _ .  . _  _  _ . .
 :  |-||-||<|_||\|  |_|-||\/||-'|->|_-|_|_  Dalhousie University, Halifax, NS
  `----------------------------------------------[fx!aaron () ug cs dal ca]-----
Previous By Date Next
Previous By Thread Next

Current thread: