Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: lcamtuf () IDS PL (Michal Zalewski)
Date: Sun, 4 Jul 1999 00:55:09 +0200

On Tue, 17 Aug 1999, Bill Nottingham wrote:


A buffer overflow existed in libtermcap's tgetent() function,
which could cause the user to execute arbitrary code if they
were able to supply their own termcap file.

Under Red Hat Linux 5.2 and 4.2, this could lead to local users
gaining root privileges, as xterm (as well as other possibly
setuid programs) are linked against libtermcap. Under Red Hat
Linux 6.0, xterm is not setuid root.

Thanks go to Kevin Vajk and the Linux Security Audit team for
noting and providing a fix for this vulnerability.


So, here I am.

Well, as this vunerability become well-known, I have nothing to loose,
enjoy: most of terminfo-based programs will accept TERM variable set to
eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
file', set TERM, then execute vunerable program w/terminfo support. In
fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
other recent distributions based on terminfo entries/, is vunerable... And
TERM variable can be passed using telnet ENVIRON option during protocol
negotiation before login procedure... Guess what?;) Almost remote root
(well, all you have to do locally is puting /tmp/x).

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Previous By Date Next
Previous By Thread Next

Current thread: