Bugtraq mailing list archives
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Sun, 4 Jul 1999 00:55:09 +0200
On Tue, 17 Aug 1999, Bill Nottingham wrote:
A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root. Thanks go to Kevin Vajk and the Linux Security Audit team for noting and providing a fix for this vulnerability.
So, here I am. Well, as this vunerability become well-known, I have nothing to loose, enjoy: most of terminfo-based programs will accept TERM variable set to eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap file', set TERM, then execute vunerable program w/terminfo support. In fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many other recent distributions based on terminfo entries/, is vunerable... And TERM variable can be passed using telnet ENVIRON option during protocol negotiation before login procedure... Guess what?;) Almost remote root (well, all you have to do locally is puting /tmp/x). _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Internet Auditing Project Elias Levy (Aug 13)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)
- Re: Internet Auditing Project CyberPsychotic (Aug 16)
- Re: Internet Auditing Project Viljo Hakala (Aug 17)
- Stupid bug in W3-msql gregory duchemin (Aug 17)
- Re: Stupid bug in W3-msql David J. Hughes (Aug 19)
- Httpd Logging Methods v0rt (Aug 23)
- <Possible follow-ups>
- Re: Internet Auditing Project David Luyer (Aug 15)
- Re: Internet Auditing Project Peter J. Holzer (Aug 17)
- [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
- Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
- Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
- IE 5.0 allows executing programs Georgi Guninski (Aug 21)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)