Bugtraq mailing list archives

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: joey () FINLANDIA INFODROM NORTH DE (Martin Schulze)
Date: Thu, 19 Aug 1999 16:23:31 +0200


Michal Zalewski wrote:

Well, as this vunerability become well-known, I have nothing to loose,
enjoy: most of terminfo-based programs will accept TERM variable set to
eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
file', set TERM, then execute vunerable program w/terminfo support. In
fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
other recent distributions based on terminfo entries/, is vunerable... And
TERM variable can be passed using telnet ENVIRON option during protocol
negotiation before login procedure... Guess what?;) Almost remote root
(well, all you have to do locally is puting /tmp/x).


Are you referring to terminfo or termcap?  They are designed differently,
refer to different files and use different code.

Regards,

        Joey

--
GNU does not eliminate all the world's problems, only some of them.
                                                -- The GNU Manifesto

Current thread:

Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent(), (continued)
- - - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
    - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
    - libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
    - OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
    - Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)

(Thread continues...)