This post made me a little curious so I did some investigating. I tried setting my TERM variable: export TERM="../../../home/fx/mytermfile" (I needed to move three parent directories backward to the root directory since on my Slackware box the database is located in /usr/lib/terminfo.) [16:24:42] aaron@ug:~$ export TERM="../../../home/fx/mytermfile" [16:24:53] aaron@ug:~$ telnet XXX.XXX.XXX.XXX Trying XXX.XXX.XXX.XXX... Connected to somehost.com. Escape character is '^]'. Connection closed by foreign host. [16:25:21] aaron@ug:~$ Examination of the /core file dumped by in.telnetd (strings core) revealed this line: /usr/lib/terminfo/./../../../home/ It was cut off. Notice there is apparantly enough room for ../../../tmp/x though. cp /usr/lib/terminfo/v/vt100 /tmp/x Set our TERM variable again: export TERM="../../../tmp/x" Trying XXX.XXX.XXX.XXX... Connected to somehost.com. Escape character is '^]'. Linux 2.0.32. login: It worked. This also works: cp /usr/lib/terminfo/v/vt100 /home/fx/vt100 ln -s /home/fx/vt100 /tmp/x ...and using the same TERM variable, in.telnetd will acknowledge the copied /home/fx/vt100 terminfo file. So the question is, how dangerous could a user-supplied terminfo file be? . _ _ _ _ . . _ _ . . _ _ _ . . : |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ Dalhousie University, Halifax, NS `----------------------------------------------[fx!aaronat_private]-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:33:54 PDT