Bugtraq mailing list archives
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
From: tymm () COE MISSOURI EDU (Tymm Twillman)
Date: Thu, 19 Aug 1999 13:08:30 -0500
There was some discussion of this on the linux-security list. Redhat 6.0 has in.telnetd linked with libncurses, *NOT* libtermcap: $ ldd /usr/sbin/in.telnetd libncurses.so.4 => /usr/lib/libncurses.so.4 (0x40019000) libutil.so.1 => /lib/libutil.so.1 (0x40056000) libc.so.6 => /lib/libc.so.6 (0x40059000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) ncurses ignores the buffer parameter to tgetent() that is usable for exploits. Note that this doesn't mean everything is safe; there are still exploitable programs linked with libtermcap. But in.telnetd as delivered with RH6.0 is fine in this respect. -Tymm On Sun, 4 Jul 1999, Michal Zalewski wrote:
On Tue, 17 Aug 1999, Bill Nottingham wrote:A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root. Thanks go to Kevin Vajk and the Linux Security Audit team for noting and providing a fix for this vulnerability.So, here I am. Well, as this vunerability become well-known, I have nothing to loose, enjoy: most of terminfo-based programs will accept TERM variable set to eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap file', set TERM, then execute vunerable program w/terminfo support. In fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many other recent distributions based on terminfo entries/, is vunerable... And TERM variable can be passed using telnet ENVIRON option during protocol negotiation before login procedure... Guess what?;) Almost remote root (well, all you have to do locally is puting /tmp/x). _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Re: Vulnerability in Solaris 2.6. rpc.statd ?, (continued)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
- Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
- libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
- OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
- Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: Security Bug in Oracle Jonathan A. Zdziarski (Aug 27)
- [RHSA-1999:030-02] Buffer overflow in cron daemon Bill Nottingham (Aug 27)